Tags: OpenVPN/openvpn3-linux
Tags
OpenVPN 3 Linux v24 (Bugfix/security release) The v24.1 release is small security and bugfix release. * Security: CVE-2025-3908 - openvpn3-admin init-config follow symlink issue Wolfgang Frisch from the SUSE security team reach out and notified us of a potential issue with the openvpn3-admin init-config command following symlinks when creating needed directories. This has been resolved and this command will no longer follow symlinks any more and will insist the user running this command to setup these directories manually with the correct ownership and privileges. * Bugfix: openvpn3 session-manage --log-level can crash the Session Manager When changing the log-level for an on-going VPN session to an invalid log-level value, the Session Manager process would fail and stop running due to an uncaught exception. The result would not affect the currently on-going VPN sessions, but none of those sessions could be managed via the session manager any more. This has been fixed and the Session Manager will now reply to the caller with an error message instead. This issue was reported by Wolfgang Frisch from the SUSE security team. * Bugfix: Control character injection via command line arguments All the command line arguments would pass on ASCII control characters which could be used to inject misleading information into logs. Since none of the entry points of user data need ASCII control characters except newline characters a few places, these characters are now removed. This issue was reported by Wolfgang Frisch from the SUSE security team. * Bugfix: openvpn3-service-backendstart crash during shutdown Occasionally the openvpn3-service-backendstart helper service could crash during it's shutdown phase. This was due to an uncaught exception. This has been resolved. * Bugfix: VPN session failing to start without org.freedesktop.hostname1 The current client code expected the org.freedesktop.hostname1 (systemd-hostnamed) service to be available. On systems without systemd, this would result in the client using a longer time to wait for this service to appear before continuing. Meanwhile, the Session Manager would also not receive a response in time from this client process, thus considering it unresponsive and stopping the VPN session instead. This has been resolved by querying the master D-Bus service if the org.freedesktop.hostname1 service is available or not and just continue without it if it is unavailable. * Build fix: Meson clean-up Newer Meson versions had several minor complaints about the build configuration. These issues should now be resolved and Meson should no longer report any warnings. * Build fix: GCC-15 related build issues The GCC-15 compiler now starts to complain about more issues which was not raised by prior compiler versions with the same compiler flags. The issues raised by GCC-15 is now fixed. Known issues: - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. ---- Changes from v24 to v24.1 ------------------------------------- David Sommerseth (31): build: Misc cleanup in Meson build scripts build: Fix incorrect default value assignment for create_statedir option common: Refactor Configuration::File to use std::filesystem ovpn3cli/init-config: Refactor file/directory handling to use std::filesystem ovpn3cli/init-config: Don't follow symlinks setting up state/configs dirs sessionmgr: Catch incorrect log level requests in Session object build: Fix minor meson complaint in addons/aws build: Improve OpenVPN 3 Core library version extraction events/log: Refactor Events::Log() events/log: Simplify Events::Log::str() methods events/log: Implement character filter in Events::Log log: Extend LogSender with a Debug_wnl() method log/core: Enable multi-line logging via the Core D-Bus logger log/journal: Don't filter newlines from journald entries log: Preserve the newlines in the log when openvpn3-service-log starts tests: Add --allow-newline to logservice1 send subcommand common/cmdargparser: Minor code cleanup in RegisterParsedArgs::register_option() common/cmdargparser: Filter out ASCII control characters from command line common: Merge and move string ctrl char sanitizing to a shared function log: Filter strings coming via D-Bus calls sessionmgr/client: Filter reason string to Pause D-Bus method call common: Filter input value to RequiresQueue::UpdateEntry() tests/request-queue: Remove unused local function configmgr/test: Add tests for control chars in various configuration profiles configmgr: Remove control characters from various user input via D-Bus netcfg: Remove control characters from the D-Bus method inputs log: Add missing cstdint header in logmetadata.hpp common: Check if org.freedesktop.hostname1 is available in PlatformInfo client: Handle exceptions in ~BackendStarterSrv build: Allow version tags to contain dots and minor version digits configmgr/proxy: Ignore minor version number in feature check --------------------------------------------------------------------
OpenVPN 3 Linux v24 (Stable release) The v24 release is another stable release. This resolves issues reported in several earlier releases and improves OpenVPN 3 Linux in several areas. * Improvement: Add --dns option support DNS resolver settings has been troublesome for many years, since there are slightly different implementations which handles the possible pushed DNS options differently between OS platforms and even across client implementations on a single platform. This is being attempted resolved by a new --dns option which can be used instead of the various --dhcp-option settings related to DNS. The --dns option has been available since OpenVPN 2.6. The OpenVPN 3 Core Library has had this support v3.7. But the needed processing of this option has been lacking in OpenVPN 3 Linux until now. With the --dns option, it provides possibilities to configure more modern DNS features such as split-DNS, DNS-over-TLS and DNSSEC. This will in most cases work out-of-the box when using systemd-resolved as the local DNS resolver - but it also depends on the features available in systemd-resolved in the Linux distribution being used. Currently, systemd-resolved does not support DNS-over-HTTPS [1]. If this is being attempted, the connection will disconnect. For users only using /etc/resolv.conf, only the traditional DNS server and search domain settings will be configured. All the additional DNS features will be ignored. [1] <systemd/systemd#8639> * Improvement: Provide better details about the remote server The openvpn3 sessions-list would list a "Session name" when a client session has successfully connected to a remote server. This information was static and not changed since the initial connection. If the VPN configuration profile had more and different --remote lines, only the first connection would be reflected in this "Session name". In v24 this has been changed by querying the VPN client process about the server it is currently connected to. The "Session name" line has thus been replaced with a "Connected to" line which will also include details about connection protocol, DCO mode and port number in use. Note: Due to an issue in the OpenVPN 3 Core Library, the port number is currently not provided on DCO connections. * Improvement: Provide better messages to end-user on session start issues When starting a VPN session, it could fail for various reasons. The reason itself was never provided to the end-user starting the session and it was needed to dig into the log files to figure out why it was failing. With this release, the openvpn3 session-start command will present an end-user friendly reason when the client process provides a reason for the failure. This reduces the need to search the logs for the initial understanding why it failed. * Improvement: Better error message when modifying sealed configurations When attempting to modify a sealed VPN configuration profile (which are read-only), a fairly verbose, debug-like error message was provided to the user. This has been improved to give a more end-user friendly error message instead. * Improvement: Upgrade to OpenVPN 3 Core Library v3.10.4 This resolves an issue where a configuration profile using --pull-filter with single quotes instead of double quotes would be incorrectly parsed. There could also appear issues for VPN sessions with DCO enabled could fail if --inactive was used. This has been fixed in this Core Library release. * Bugfix: Starting VPN sessions could fail on slower systems In some cases, the openvpn3-service-backendstart would not start quickly enough. This would result in the Session Manager as it would not get a response back soon enough that the VPN client process has been started - and it would fail the VPN session start. With the updated GDBus++ and further improvements in the Session Manager, it will now be more graceful to slower starting services and not fail as quickly. This allows the supporting helper services to be able to start properly before interacting with them. * Bugfix: Add support for dhcp-option ADAPTER_DOMAIN_SUFFIX The ADAPTER_DOMAIN_SUFFIX is one of these ambiguous --dhcp-options being treated differently across client implementations. This setting has so far been ignored in OpenVPN 3 Linux until this release. The best user experience seemed to be achieved by parsing this as an alias to the DOMAIN-SEARCH feature. This seems to align best with common user expectations. * Bugfix: DNS search domains might not be removed from /etc/resolv.conf Under some unclear situations, the DNS search domains was not always removed in /etc/resolv.conf. This has been an open issue for a long time, but it seems to have improved since the v22_dev with GDBus++. We still see this occasionally on a few Linux distributions with systemd-resolved. But since we also see the systemd-resolved accepting the DNS updates and removals, we believe this is might be more an issue in systemd-resolved at this point. This issue appears now only with systemd-resolved and is not reproducible in all environments. * Bugfix: Duplicated name servers or search domains to /etc/resolv.conf In prior releases, when the Network Configuration service was configured to use /etc/resolv.conf for DNS resolving it could append duplicated DNS name servers and search domains if duplicates where pushed or added by other VPN connections or present prior to starting the VPN session. In v24 duplicated name servers and search domains are filtered out to only have a single presence of them in /etc/resolv.conf. * Bugfix: openvpn3 sessions-list does not reflect the correct DCO status When running the openvpn3 sessions-list and openvpn3-admin sessionmgr-service --list-sessions commands, the DCO status was not necessarily reflecting the reality. Typically, if the VPN client process failed to activate and use the DCO kernel module, it would still be listed as DCO enabled while in reality being a normal tun interface. This has been resolved in v24 where it will now query the VPN client process for the actual DCO status - not just the configured and requested DCO mode. * Bugfix: Stray VPN sessions not cleaned up In cases where a VPN session have had a log forwarder enabled (like via the openvpn3 log command) and that log forwarder has been stopped, the VPN session would be lingering in the Session Manager as a stray session with no available session details. This is also seen via openvpn3 sessions-list. Attempting to remove the session using openvpn3 session-manage would fail with an error. This has been resolved in v24, where the error situations which might appear if a previous log forwarder could not be identified are now properly handled and will not block the internal session clean-up in the Session Manager. * Bugfix: Spurious CreateVirtualInterface() errors when re-starting failing sessions In some special situations where a running VPN session stopped and attempted restarted after a openvpn3 session-manage --cleanup, the tunnel would fail with various CreateVirtualInterface() and TUN_SETUP_FAILED errors. The session management code has been gradually improved since v22_dev, v23 and now v24 - where stopped and failing sessions are handled better and removed correctly in the Session Manager. * Bugfix: openvpn3 log with --session-path does not work In some scenarios, using openvpn3 log --session-path did not work and did not report any log events. This has been under investigation for a long time and this issue has not been seen since the release with v22_dev and GDBus++. We consider this issue resolved with the updated openvpn3-service-log service in the v22_dev release. * Bugfix: openvpn3 session-start fails with only 2FA authentication The openvpn3 session-start would fail to start a session if the configuration profile would only require 2FA authentication. This has also been fixed since the v22_dev with GDBus++ release which included a refactoring of how VPN sessions were established. * Bugfix: Spurious GLib error messages The shell completion (with bash-completion installed) could often appear with disturbing and confusing GLib-GObject-CRITICAL errors in the output. This has most likely been fixed since v22_dev and the migration to the GDBus++ library. Since this did not happen each time and it varied a bit which Linux distributions it happened on we've kept this on our radar for some time. We now feel more confident this type of errors is being handled properly and should not disturb the user any more. Known issues: - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. ---- Changes from v23 to v24 --------------------------------------- David Sommerseth (56): configmgr: Improve error message on sealed config profiles configmgr: Switch to std::set<> for target lists for ACL checks docs: Re-enable doxygen build target client: Add support for --dhcp-option ADAPTER_DOMAIN_SUFFIX client: Stop running VPN clients in client destructor client: Properly plug-in DBus::MainLoop handling in BackendClientObject client: Make BackendSignals::LogFATAL() thread safe client: Extend BackendSignals to have access to a DBus::MainLoop object client: Improve exception handling when starting client worker thread client: Handle COMPRESS_ERROR events ovpn3cli/session-start: Retrieve more status details when throwing SessionException client: Fix incorrect error message in NetCfgTunBuilder::socket_protect() client: Move DNS scope logging from LOG_DEBUG to LOG_VERB2 cleanup: Remove pointless local scope ovpn3cli::session::start_session() configmgr: Add debug option --use-session-bus log: Rework the tear-down of ProxyLogEvents objects netcfg: Cleanup NetCfgException dbus/signals: Add Signals::StatusChange::LastEvent() client: Add BackendSignals::LastStatusEvent() client: Add new property: connection sessionmgr: Implement extraction of connection details from client client: Extract DCO status from ConnectionInfo when available ovpn3cli/sessions-list: Improve session information with connection details build: Minor tweaks to D-Bus/systemd/state-dir build options netcfg/proxy: Make all proxy methods const methods netcfg/proxy: Extend NetCfgProxy::Device with openvpn::DnsOptions parsing client: Enable --dns option parsing in the VPN client netcfg/resolved: Extend systemd-resolved proxy with DNSSEC support policy/netcfg: Grant privilege to set DNSSEC on systemd-resolved netcfg/systemd-resolved: Implement support for setting the DNSSEC mode netcfg: Extend NetCfgDevice with D-Bus APIs for DNSSEC netcfg/proxy: Extend NetCfgProxy::Device with DNSSEC support netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNSSEC support netcfg/resolved: Extend systemd-resolved proxy with SetDNSOverTLS() policy/netcfg: Grant privilege to set DNS-overTLS in systemd-resolved netcfg/systemd-resolved: Implement support for setting the DNS transport mode netcfg/systemd-resolved: Refactor and simplify the code netcfg: Extend NetCfgDevice with D-Bus APIs for setting DNS transport netcfg/proxy: Extend NetCfgProxy::Device with DNS transport support netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNS transport support codestyle: Fix misc deviating code style to conform with .clang-format dbus/signals: Include iostream client: Improve debugging in openvpn3-service-backendstart client/backendstart: Move LogServiceProxy inside the service object sessionmgr: Add RegistrationRequest debug logging sessionmgr: Allow net.openvpn.v3.backends to settle before accessing it ovpn3cli: Start a glib2 MainLoop in the command line tools sessionmgr/proxy: Replace sleep with waiting for SESS_CREATED signal ovpn3cli/sessions-list: Don't show "Connected to" without any details netcfg/proxy: Disable support for DoH core: Update to latest OpenVPN 3 Core Library v3.10.4 vendor: Update to ASIO 1.32.0 client: Fix missing handling of the delayed shutdown thread in BackendSignals sessionmgr: Fix misbehaviour if GetUID() fails in Session::helper_stop_log_forwards() client: Add support for a couple more TLS error events ovpn3cli: Improve mainloop start synchronisation Petr Portnov (2): build: reduce hardcoded 'asio_path' build: allow installation directories' customization Razvan Cojocaru (7): cleanup: Remove stray semicolons configmgr/overrides: Remove OverrideType::invalid configmgr/overrides: Use glib2::DataType::Extract(value) configmgr/overrides: Remove struct OverrideValue configmgr/overrides: Rename ValidOverride -> Override sessionmgr: Remove unused Session::connection_started bool netcfg/resolvconf-file: Don't add nameservers that already exist --------------------------------------------------------------------
OpenVPN 3 Linux v23 (Stable release)
The v23 release is stable release which expands the distribution target
since v22_dev was released. The goal for this step was to stabilize the
codebase which was migrated to GDBus++ and the new Meson building system.
This release brings back the OpenVPN 3 AWS-VPC Add-on which was not
ready for the v22_dev release. This service has also been migrated to
use GDBus++. The behaviour of this add-on should otherwise be identical
to the service shipped in v21 and older releases.
In addition, a new add-on is included in this release. The Cloud Connexa
service is being extended with a new functionality, referred to as Device
Posture Checks (DPC). This feature will enable the VPN server to request
certain checks to be performed on the client side and reported back to
the server. These checks are restricted to what the new OpenVPN 3 Device
Posture Service (openvpn3-service-devposture) provides. To enable the
client-side functionality, the VPN client configuration must be pre-
imported and an Enterprise ID must be assigned to the configuration
profile. That will allow the server to request Device Posture Checks
to be performed.
The currently implemented DPC tests only provides platform information,
like Linux distribution name and version, kernel versions, CPU
architecture and the client's local time. In future releases, more tests
may be implemented.
Known issues:
- Shell completion may list duplicated options in some cases
- openvpn3-admin journal --since has a time zone related issue
and may not list all log events within the closest hours.
Other changes:
* Improvement: Upgrade to OpenVPN 3 Core Library v3.10.1
This library update provides the functionality to provide the
Device Posture Check functionality in the OpenVPN wire
protocol. A fix to resolve compilation errors when the
-Wnon-virtual-dtor compiler flag is enabled is included too.
* Bugfix: Report client and version correctly in IV_GUI_VER
The v22_dev release unfortunately changed the format of the
IV_GUI_VER. It would report: 'openvpn3-linux/v22:dev' when
it should have been 'OpenVPN3/Linux/v22_dev'. This has
been corrected.
* Bugfix: --tag option not working with config-import or config-manage
A regression bug was introduced in v22_dev which handled the
available tracking of Configuration Manager features incorrectly
and ended up disabling this feature in the openvpn3 config-import
and openvpn3 config-manage commands. This has been fixed.
* Bugfix: systemd-resolved support rejected IPv6 DNS resolver address
An oversight in the systemd-resolved implementation refused to accept
pushed DNS resolver addresses when it was an IPv6 address. This has
been fixed and both IPv4 and IPv6 addresses are now fully supported.
* Improvement: Python configuration parser support for --connect-retry{,-max}
The Python configuration parser in the openvpn3 module did
not provide a pass-through for --connect-retry and --connect-retry-max
options. This would result in configuration profiles containing
these options would not function when using the Python based tools
while it would work using the 'openvpn3' command.
Credits
-------
Thanks goes to those continuing testing and reporting issues. A
special thanks to Grzegorz Gutowski who provided the fix to the
Python module. He is also the project lead behind the openvpn3-indicator
project, which provides a tray-icon for OpenVPN 3 Linux. If you
use a graphical desktop, that's a project worth checking out!
Many thanks also goes to Razvan Cojocaru who has stepped in providing
many great improvements and done all the work for the Device Posture
support in OpenVPN 3 Linux. And Lev Stipakov who migrated the
OpenVPN 3 AWS-VPC add-on service to GDBus++
---- Changes from v22_dev to v23 ---------------------------------------
David Sommerseth (24):
configmgr: Load configuration profiles before starting the D-Bus service
netcfg: Make NetCfgNotifSubscriptions use uint32_t as filter bit mask
codestyle: Fix minor code style deviations
build: Enable overriding OpenVPN 3 Core Library version string
scripts: Modify the output of the --gui-version
addons/devposture: Fix compilation error with older JsonCpp libraries
addons/devposture: Make devposture-proxy test program more generic
addons/devposture: Document the Enterprise Profile file format
build: Install some additional documentation by default
docs: Clarify a GDBus++ and mbed TLS build dependencies better
build: Set PACKAGE_NAME to 'OpenVPN3/Linux'
Some minor #include clean-ups
configmgr: Cleaning up #include files
configmgr: Use CoreLog for logging events from the Core library.
client: Don't stop if devposture service is unavailable
devposture/test: Improve argument parsing in devposture-proxy
addon/devposture/proxy: Properly re-throw DevPosture::Proxy::Handler exceptions
netcfg/resolved: Factor out resolved::Exception to a separate file
tests/resolved: Extend systemd-resolved proxy test client with IPv6 support
netcfg/resolved: Add new D-Bus IP Address parser class
netcfg/resolved: Use GDBus++ glib2 helpers extracting data in SearchDomains::GetGVariant
netcfg/resolved: Plug-in resolved::IPAddress into ResolverRecord
netcfg/resolved: Refactor out resolved::ResolverRecord
core: Update to OpenVPN 3 Core Library v3.10.1
Grzegorz Gutowski (1):
python: Pass through --connect-retry and --connect-retry-max
Lev Stipakov (5):
netcfg: use proper C++ base type for NetCfgChangeType
netcfg/proxy: Check non-response call for nullptr before freeing
configmgr: remove unused class members
addons/aws: Switch to GDBus++
addons/aws: adapt to core RandomAPI changes
Razvan Cojocaru (10):
core: Update to OpenVPN 3 Core Library releaseprep/3.10
addons/devposture: Add openvpn3-linux-devposture
configmgr: Add the enterprise-profile override
ovpn3cli/config: Add openvpn3 config-manage --enterprise-profile
client: Plug in Device Posture support
configmgr: Use a regular expression to determine version number
configmgr: Accumulate proxy feature flags instead of overwriting
netcfg: Check stub-resolv.conf before giving up on systemd-resolved
common: give SingleCommand a virtual destructor
addons/devposture: Add core_ver and extra_ver to client_info
OpenVPN 3 Linux v22_dev (Limited Release) This is a limited release primarily targeting Fedora 39 and newer plus Ubuntu 24.04. Other Linux distributions shipping glib2 version 2.76 or newer will also benefit from this release. This release contains a massive re-factoring of the D-Bus integration layer with glib2. The glib2 2.76 and newer releases contains several internal changes which broke the D-Bus implementation layer in OpenVPN 3 Linux v21 and older releases [1]. To fix this, it was decided to split out the base D-Bus integration into a new standalone library which OpenVPN 3 Linux will depend on. This new project is called GDBus++. [1] <#171> This change brings in a vastly improved D-Bus integration which will now make extended use of multi-threading when processing D-Bus method calls and implements modern C++17 approaches when handling requests to registered D-Bus objects. It has also been a strong focus on getting rid of as much of various glib2 warnings which could occasionally appear in prior OpenVPN 3 Linux releases. There are most likely a still a lot more room for improvements to both the new DBus++ and the upgraded OpenVPN 3 Linux code, which is why this release targets a more limited release scope. That said, this new code can be made available for all the officially supported RPM distributions by enabling a "development snapshots" repository. But this repository will also not have the same QA guarantees as the official stable repositories. This release has only been through the full QA validation on Fedora 39, Fedora 40 and Ubuntu 24.04. On a development note, this project has now migrated to use Meson [2] as the build system. The autoconf/automake build system is now completely removed. The Meson build system has turned out to be way simpler to use and configure than autotools ever was, especially from a developers point of view. [2] <https://mesonbuild.com/> There are unfortunately a few known issues which is targeted for the coming v23 release: - AWS VPC integration is not yet ready, so this add-on is currently not available in this v22_dev release. - Shell completion may list duplicated options in some cases - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. Other changes worth mentioning with this release: * Improvement: Upgrade to OpenVPN 3 Core library v3.8.5 This upgrade contains several bug fixes related to the option parser, mostly issues reported by a wide range of users. In addition to incorrect behaviour with the stub compression when the --compress option was used. * Improvement: openvpn3-admin journal --since argument The --since argument can now use the keywords 'today' and 'yesterday'. * Bug fix: openvpn3-admin log-service would not change some settings On some distributions, the --dbus-details and other boolean flags was not properly changed when requested. This has been improved. Credits ------- Finally, it is needed to give a HUGE THANK YOU to all the community testers which installed and tested rolling development snapshots during the development of this release. Without all this testing, we would not have the same confidence in this release as we have now. All your help and feedback has been really valuable and helpful during this the development phase. ---- Changes from v21 to v22_dev --------------------------------------- David Sommerseth (324): ovpn3cli/admin: log-service lacked initial state and init ovpn3cli/admin: Add today/yesterday to journal --since codestyle: Use default lambda scope indentation processwatch: Remove the processwatch.hpp feature idlecheck: Remove IdleChecker implementation for GDBus++ refactoring build: Add bare meson build setup GDBus++: First step in migrating to the new D-Bus implementation GDBus++: Rework constants setup for OpenVPN 3 Linux GDBus++: Migrate the log/proxy-log.hpp implementation build: Add bare meson setup for generating man pages build: Install the base D-Bus policy build: Replace individual D-Bus auto-start service files with a template GDBus++: Migrate openvpn3-service-backendstart build: Add some log handling into the internal shared common library GDBus++: Migrate D-Bus proxy code for net.openvpn.v3.config client: Simplify StatusEvent() constructors build: Extend version extraction to include a few git flags build: Build and install SELinux policies via Meson GDBus++: Partial migration of netcfg code required to build VPN client backend common: Extend RequiresQueue with callback functionality GDBus++: Complete migration of StatusEvent() GDBus++: Kick out THROW_LOGEXCEPTION() macro GDBus++: GDBus++: Complete migration of LogEvent() GDBus++/LogSender: Use SignalDeclaration() methods setting up signals GDBus++/common: Improve RequiresQueue, avoid static_cast<>() GDBus++: First stab at migrating openvpn3-service-client build/selinux: Fix wrongly behaving SELinux build detection build: Fix issues with missing sd_id128 variable in meson build: Prepare the ground for building dco-keyconfig.proto GDBus++/common: Migrate PlatformInfo GDBUs++/sessionmgr: Initial migration of SessionManager::Event() GDBus++/netcfg: Initial migration of NetCfg:DNS::ResolverSettings() netcfg: Enforce smart-pointer usage for NetCfg::DNS::ResolverSettings() GDBus++/netcfg: Extend NetCfgChangeType with GDBus++ glib2 helpers GDBus++: Migrate the unit tests client/log: Rewrite the Core library D-Bus log implementation client: Fix minor coding style issues in ConnectionStatDetails common: Refactor build-config.h inclusion in MachineID Avoid including build-config.h in header files GDBus++: Complete migration of NetCfg::DNS::SettingsManager common: Add missing sstream include file in configfileparser.hpp GDBus++: Migrated NetCfgSubscriptions client: Minor code cleanup in core-client.hpp GDBus++: Migrate NetCfgSignals GDBus++: Extend NetCfgProxy::Device with DCO support GDBus++/client: Fix dco and log_level property handling client: Remove pointless debug logging of the current run status client: Add debug logging when validate_sender() rejects a caller build: Use --prod-version as Meson project version build: Replace hard-coded -Werror with werror option client/core: Rename 'signal' object to 'signals' client/core: Reorder and fix #include file related challenges client/core: Relocate statistics.hpp include client/core: Clean up some #include hierarchy in core-client/core-client-netcfg build: Add libnl-3.0 as a dependency build: Add debug_internal build configuration flag client: Add BackendSignals::Create() static helper function log/proxy: Use DBus::Object::Path instead of std::string configmgr/proxy: Use DBus::Object::Path instead of std::string client: Use DBus::Object::Path in NetCfgTunBuilder::netcfg_get_device_path() client: Cleanup leftovers in NetCfgTunBuilder for ovpncli-netcfg client: Add debug logging when requesting NetCfg Cleanup() netcfg/proxy: Use DBus::Object::Path instead of std::string tests/netcfg: Migrate netcfg-changeevent-selftest to GDBus++/meson netcfg: Migrate NetCfgChangeEvent fully to GDBus++ tests/netcfg: Migrate netcfg-proxy-unit to GDBus++/Meson tests/netcfg: List D-Bus paths if the "Re-fetching" fails core: Update to OpenVPN 3 Core Library v3.8.4 netcfg/dns: Migrate NetCfg::DNS::resolved proxy to GDBus++ netcfg/dns: Refactor the SettingsManager and ResolverBackendInterface netcfg/dns: Refactor NetCfg::DNS::ResolvConfFile netcfg/dns: Fix NetCfg::DNS::ResolverSettings::operator<<() behaviour netcfg/dns: Refactor NetCfg::DNS::SystemdResolved netcfg/build: Include NetCfgChangeType into the static netcfg library build: Move some netcfg components out of the static libnetcfg library GDBus++: Migrate openvpn3-service-netcfg (non-DCO) selinux: Allow openvpn3-service-netcfg to use syslog client: Fix incorrect empty session_path property client: Explicitly set the scope on a few Core library types netcfg/dns: Fix glib2 GVariant ref counting issues netcfg: Preserve a pointer to the LogWriter object in NetCfgDevice netcfg: Return the proper data type in DcoAvailable netcfg: GDBus++: Complete migration of openvpn3-service-netcfg vendor: Remove googletest as a git submodule netcfg: Check the results when preserving capabilities netcfg/dns: systemd-resolved SetDefaultRoute is a method netcfg/dns: Detect unsupported SetDefaultRoute feature in systemd-resolved sessionmgr: Replace GetIntrospection() with SessionManager::Event::SignalDeclaration() sessionmgr: Minor cleanups of SessionManager::Event log: Make the StatusChange signal optional in LogSender log: Make LogWriter::Ptr a std::shared_ptr netcfg: Use DBus::Object::Path in method_fetch_interface_list() client: Add AttentionReq class GDBus++/tests: Migrate signal-listener configmgr/proxy: Do an extra object existence check in ctor dbus: Add a GDBus++ DBus::Object extension - Object::ACL core: Update to OpenVPN 3 Core Library v3.8.5 Provide operator<<() function for OpenVPN 3 Linux specific types log: Fix incorrect data type in LogProxy::ProxyLogEvents() python: Migrate openvpn3.constants generator to Meson sessionmgr: Remove not needed arg in SessionManager::Event::SignalDeclaration() build: Include dbus/path.cpp into the common static library sessionmgr: Adding SessionManager::NewTunnelQueue infrastructure sessionmgr: Add generic code for sending session and manager signals sessionmgr: GDBus++ migration of the openvpn3-service-sessionmgr Codestyle refresh of migrated code docs: Update openvpn3-service-sessionmgr man page docs: Update D-Bus documentation for net.openvpn.v3.sessions vendor: Upgrade ASIO to v1.30.2 build: Relocate build-version.h for dist packaging build: Fix scripts/get-version, use proper path for build-version.h build: Generate and install openvpn3/constants.h netcfg/dns: Fix missing virtual destructor compiler warnings configmgr: Fix warnings about dangling references gdbus++: Simplified DBus::Service API tests: Extend request-queue-service with file logging tests: Add request-queue-test tests: Make PlatformInfo unit-test run without D-Bus tests: Add more Meson test cases tests: Classify already declared Meson test cases events: Relocate AttentionReq and StatusEvent events: Relocate LogEvent into Events::Log dbus: Codestyle cleanup in GDBusPP::Object::Extension::ACL dbus/signals: Refactor AttentionRequired and StatusChange signals sessionmgr: Cleanup in sessionmgr-events.hpp log: Refactor LogFilter to Log::EventFilter dbus/signals: Implement ::Signals::Log dbus: Clean up minor issues in DBusRequiresQueueProxy dbus: Extend DBusRequiresQueueProxy to allow proxy assignment later on sessionmgr: Migrate the Session Manager D-Bus proxy client to GDBus++ dbus/signals: Implement Signals::ReceiveLog log: Clarify DBus::Signal::Group::Create() call destination signals/statuschange: Harden StatusChange::GetLastStatusChange() in empty cases client/backendstart: Rework how StatusChange signals are sent client: Rework how backend VPN client sends StatusChange/AttentionRequired client: Rework RegistrationRequest signal sending sessionmgr: Refactor out StatusChange calls via LogSender sessionmgr: Fix a few minor codestyle related issues log: Remove StatusChange signal handling from LogSender log: Remove classes and features which is no longer needed tests: Migrate logservice1 debug/test tool to GDBus++ tests: Extend logservice1 with logtag settings support build: Refactor ENABLE_DEBUG macro in netcfg-dns-direct-file-selftest build: Remove debug_internal setting common: Add a '[DCO]' tag in get_version() string when DCO enabled build: Redo the ENABLE_OVPNDCO macro setup log: Clean up LogTag log: Extend Log::EventFilter with a smart-pointer creator log: Cleanup LogMetaData and LogMetaDataValue events: Extend Events::Log() to also carry signal sender details signals: Extend Signals::ReceiveLog() to pass signal sender details log: Simplify the LogWriter API slightly log: LogWriter::Write() implementations must check if metadata is valid log/proxy: LogServiceProxy::Detach() must wait for a reply log: Make more Log::EventFilter methods publicly available log: Improve misleading Log::EventFilter error message client: Signals sent should not change the D-Bus path client: Backendstarter can use a bit longer idle-exit sessionmgr: Improve retrieve sessions helper method dbus/signals: std::move() the callback lambda to the signal handler events/log: Extend Events::Log to carry a LogTag::Ptr log: Simplify LogWriter API - remove PrependMeta() + AddLogTag() log: Rework passing of LogTag to the LogWriter backend signals/statuschange: Implement Signals::ReceiveStatusChange sessionmgr: Disable log forwarding for sessions closing GDBus++/log: Migration of net.openvpn.v3.log / openvpn3-service-log sessionmgr: Add missing session_name property in Session objects log: Initialize logstream pointer properly docs: Create, build and install man pages log: Remove unused namespace in openvpn3-service-log.cpp build/tests: Build the cmdparser-test program common: Remove RCPtr from cmdargparser.[ch]pp common/cmdargparser: Pass std::string by reference common/cmdargparser: Replace typedef with using for consistency GDBus++/ovpn3cli: Start migration of openvpn3 and openvpn3-admin cli tools policy: Allow access to GetAll property method in backends and log services tests: Migrate dbus/get-service-version-prop to Meson and GDBus++ GDBus++/ovpn3cli: Migrate 'openvpn3-admin version' build: Move DNS configuration code from netcfg service to netcfgmgr_lib GDBus++/ovpn3cli: Migrate 'openvpn3-admin init-config' log/journald: Add O3_LOG_SENDER meta data for log service log/journald: Update the journald log parser to new Events::Log location log/journald: Extend the journald parser to include the updated log service GDBus++/ovpn3cli: Migrate 'openvpn3-admin journal' sessionmgr/proxy: Add Session::GetConfigName() GDBus++/ovpn3cli: Migrate argument helper functions GDBus++/ovpn3cli: Migrate 'openvpn3-admin log-service' netcfg/proxy: Enforce NetCfgProxy::Manager to be a smart-pointer log: Add additional mutex around log subscription changes netcfg: Catch errors sending signals netcfg/dns: Preserve device name in systemd-resolved D-Bus proxy netcfg/dns: Retrieve values set in NetCfg::DNS::resolved::Link setters netcfg/dns-resolved: Implement sending NetworkChange DNS added/removed signals netcfg/dns: Provide device name when sending DNS_*_REMOVED signals netcfg: Fix incorrect signal subscription D-Bus API netcfg: Don't try to send NetworkChange signals without subscribers netcfg/NetworkChange: Implement crude subscription ownership tracking netcfg: Activate the missing NetworkChange subscription feature netcfg/proxy: Fix typo in D-Bus data type subscription retrival netcfg: Fix type inconsistency in NetCfgChangeType netcfg/proxy: Use DBus::Exception::GetRawError() instead of what() netcfg/proxy: Use synchronous call for NotificationUnsubscribe netcfg: Base NetCfg exceptions on DBus::Exception GDBus++/ovpn3cli: Migrate 'openvpn3-admin netcfg-service' sessionmgr/proxy: Don't call StartServiceByName() in the constructor build: Add workaround for tinyxml2 macro bug in OpenVPN 3 Core sessionmgr/proxy: Implement SessionManager::Proxy::Manager::Introspect() sessionmgr/proxy: Implement methods for a few Session object properties GDBus++/ovpn3cli: Migrate 'openvpn3-admin sessionmgr-service' sessionmgr: Remove superfluous check in helper_retrieve_sessions() utils: Add a global time_t to local date/time string converter configmgr/proxy: Extend the configmgr proxy with property getters GDBus++/ovpn3cli: Migrate 'openvpn3 configs-list' configmgr/proxy: Extend the configmgr proxy with CheckObjectExists() configmgr/proxy: Add helper code for using smart-pointers ovpn3cli/arghelpers: Add optional DBus::Connection to retrieve_config_path() GDBus++/ovpn3cli: Migrate 'openvpn3 config-manage' GDBus++/ovpn3cli: Migrate 'openvpn3 config-acl' GDBus++/ovpn3cli: Migrate 'openvpn3 config-dump' GDBus++/ovpn3cli: Migrate 'openvpn3 config-remove' GDBus++/ovpn3cli: Migrate 'openvpn3 config-import' configmgr/proxy: Improve error message on config object not found sessionmgr/proxy: Add GetConfigPath() method GDBus++/ovpn3cli: Migrate 'openvpn3 sessions-list' GDBus++/ovpn3cli: Migrate 'openvpn3 session-stats' sessionmgr/proxy: Add CheckSessionExists() method GDBus++/ovpn3cli: Migrate 'openvpn3 session-acl' client: Use StatusMinor::SESS_AUTH_URL for pending web authentications common/cmdargparser: Add missing #include <sstream> dbus: Improve object ownership GetUID/GetPID call error scenarios common: Add missing #include<string> in open-uri.hpp events: Fix typ0 in the Status method - Get/SetPrintMode log/proxy: Harden the LogProxy::Remove() method sessionmgr: Improve log_forwarders access across multiple threads configmgr/proxy: Update DBus::Proxy::Exception throw APIs sessionmgr: Session::method_ready() uses wrong exception string for parsing sessionmgr/proxy: Use *::List where possible for handling known std::vector<> types sessionmgr/proxy: Session::Ready() cannot use simple_call() sessionmgr/proxy: Session::GetLastStatus() should not return a const object GDBus++/ovpn3cli: Migrate 'openvpn3 session-auth' sessionmgr/proxy: Base SessionManager::Proxy::Exception on DBus::Exception ovpn3cli: retrieve_config_path() should return DBus::Object::Path sessionmgr/proxy: Provide all details when Proxy::Session::Ready() fallback throws configmgr/proxy: OpenVPN3ConfigurationProxy::Import() should return DBus::Object::Path ovpn3cli/GDBus++: Migrate 'openvpn3 session-start' ovpn3cli/session: Move statistics_plain() helper function to helpers.cpp ovpn3cli/GDBus++: Migrate 'openvpn3 session-manage' sessionmgr: Don't wipe the log_forwarders map until we're done log/logwriter: Extend the API to handle Events::Status common/utils: Add is_colour_terminal() helper function tests/GDBus++: Migrate the logfwd-listener test program sessionmgr/proxy: Move local exceptions to SessionManager::Proxy::Exception ovpn3cli/GDBus++: Migrate 'openvpn3 log' ovpn3cli: Make main() provide argv[0] details in exceptions GDBus++: Remove left overs from the old DBus implementation policy: Be more generous with access to Ping methods sessionmgr/proxy: Add extra check at setup to check availability in Manager configmgr/proxy: Replace Ping in ctor with CheckObjectExists() ovpn3cli/log: Fix signal setup errors with fresh starts ovpn3cli/log: LogAttach::lookup_config_name() does not always need iterations build: Remove autoconf/automake build configuration docs: Update README and BUILD documentation codestyle: Do a complete reformat for consistency docs/man: The logger service is renamed - openvpn3-service-log docs: Update the renamed openvpn3-service-log in misc documentation src: Update to the renamed openvpn3-service-log in the sources docs/man: Generalize the generation and installation of man pages build: Move finding 'cp' from dco to main meson.build build: Install the Python code via Meson docs: Minor style cleanup in dbus-overview.md build: Install the distro/systemd files if systemd is enabled build: Remove the '-dev' extension to binaries build: Split out the openvpn3/ Python module to a separate meson.build build: Prepare and install bash-completion files when enabled build: Generate and install polkit and PolicyKit rules build: Install the persistent configurations directory build: Migrate profilemerge-optionlist test program to Meson tests: Build config JSON import/export test programs tests: Build open-uri-test common: Get rid of glib-unix.h from cmdargparser.hpp build: Reduce linking deps for test programs build: Don't build unit-tests unless enabled ovpn3cli: Fix failing shell-completion for 'openvpn3 log' configmgr: Adjust ACLs for Fetch/FetchJSON and public_access rights configmgr: Grant read access to more config object properties configmgr: Provide better user-error when Authorize() rejects access log: Don't duplicate Events::Log() prefix in the log writes ovpn3cli/log: Remove duplicated Events::Log details in log output configmgr/proxy: Add/Remove tag methods provided odd errors ovpn3cli/config-manage: Remove not needed details in errors from --tag and --remove-tag ovpn3cli/config-manage: Extract all profile before displaying it configmgr/proxy: Add method to retrieve the D-Bus path of the object ovpn3cli/config-acl: Add some air around the output and show D-Bus path ovpn3cli/config-manage: Add D-Bus path to --show configmgr: Fix properties via add_persistent_property() not working code style: Use BreakBeforeBinaryOperators: NonAssignment code style clean-up ovpn3cli/config-manage: Better message on profile objects not found ovpn3cli: Improve overall error extraction for the command line ovpn3cli/log: Improve error message when LogForward() call fails netcfg/proxy: Fix incorrect data type for Device::SetMtu() netcfg: Implement missing device object properties configmgr: Fix mixed up Log Attach() API usage sessionmgr: Generalize the check if the backend VPN proxy is valid sessionmgr: Remove the backend VPN proxy if session closing fails sessionmgr: Catch errors if DBus::Object::Manager::RemoveObject() fails sessionmgr: Fail Authorization() if VPN backend is dead configmgr/proxy: Calling CheckObjectExists() should not happen in ctor sessionmgr/proxy: Improve the SessionManager::Proxy::Manager setup configmgr: Ensure log service is available on config import configmgr: Improve error message to user on import errors client: Check vpnclient object exists in 'Ready' callback ovpn3cli/session-start: Improve stability starting sessions from file tests: Don't run config-override-selftest if Config Manager is inaccessible configmgr: Extend configuration objects with a Validate() D-Bus method ovpn3cli/session-start: Validate config profiles before starting a new VPN session python: Add config profile validation in openvpn2 and openvpn3-systemd ovpn3cli/config: Add profile validity check in config-manage and configs-list github: Add issue template - migration to codeberg.org configmgr/proxy: Add feature check for Validate method ovpn3cli/session-start: Always refresh feature set setting up configmgr proxy netcfg/proxy: Check non-response calls for nullptr before freeing client: Catch exceptions from NetCfgProxy::Device method calls netcfg: Return when no DNS resolver is configured in method_add_dns_search() Frank Lichtenheld (1): build-selinux-policy: make sure to use bash Razvan Cojocaru (4): GDBus++: Migrate openvpn3-service-configmgr build: Use version_compare(), not lexicographical comparisons Use get_option('sbindir') instead of hardcoded 'sbin' log/syslog: Don't assign NULL to const std::string& parameter
OpenVPN 3 Linux v21 (stable) This is primarily a maintenance release with several minor bug fixes and general improvements. * Improvement: Upgrade OpenVPN 3 Core Library to v3.8.2 This is an upgrade from Core Library 3.7, which provides more enhancements and adds support for the newer ovpn-dco-v2 kernel module * Bugfix: OpenVPN 3 Linux AWS VPC lacks support for IMDSv2 mattjbyrd reported the AWS VPC integration was not working with EC2 instances where IMDSv2 was enforced. This issue is resolved with the OpenVPN 3 Core Library upgrade. Details: <#192> * Bugfix: Python StatusCallback did not work without LogCallback enabled Jeremy Fleischman reported an issue related the openvpn3 Python module did not work when just setting up a SessionManager.StatusCallback() method. He provided a fix which is now included in v21. Thanks a lot, Jeremy! Details: <ba6fe37> * Bugfix: openvpn3 config-manage override may not always work The openvpn3 config-manage override options would in some cases not work due to a programming error related to an internal set_override() method and the SetOverride() D-Bus method. The result was that typically string values ended up empty. Now all the overrides can be configured again. * Bugfix: OpenVPN 3 Python based configuration parser issues Several options and --profile-overrides did not work or was completely missing, like the dns-scope and allow-compression overrides. This has been improved and the list of overrides should now be up-to-date with openvpn3 config-manage. The Python based option parser also did not fully support overrides with a boolean true/false setting properly. This has also been fixed. * Improvement: Detect needed host specific settings during package install The OpenVPN 3 Linux v20 introduced the openvpn3-admin init-config command. This has been further improved and will now be run automatically during the package installation. This command will probe the system for important features on the system, like what kind of system logging is in use, what kind of DNS resolver approach being available (systemd-resolved, /etc/resolv.conf) as well as doing other sanity checks, like if the needed openvpn user/group is present, important directories being configured correctly and that SELinux based systems have the proper file contexts set up. The default behaviour is that existing configuration changes done will NOT be overwritten. But if no settings has been set, it will generate configurations files better matching the running system. * Improvements: OpenVPN 3 Log Service The OpenVPN 3 Log service (openvpn3-service-logger) made it hard to track where Attached: and Detached: log events came from. This does now add a PID reference, which can be traced more easily in the logs. * Improvements: OpenVPN 3 Configuration Manager feature support tracking When upgrading OpenVPN 3 Linux versions, there might be situations where an older OpenVPN 3 Configuration Manager will be running but the openvpn3 command line tool is newer. When the command line tool attempts to access features in the Configuration Manager backed not available, it would result in an error and a poorer user experience. The code providing the glue interface for the calling side (openvpn3) has been extended with a feature/version mapping, so it can filter out operations not supported if the backend version is lacking certain functions. In most cases, the openvpn3 config commands will then continue to work as before, just not providing access to features available in newer back-ends. A similar functionality is planned for the Session Manager and is being considered for the OpenVPN 3 Python module. * Improvements: OpenVPN 3 Python module Configuration profiles from OpenVPN Access Server and some times OpenVPN Cloud Connexa will often contain "meta options", typically prefixed with "# OVPN_". The Python parser would not accept several of the deprecated meta options. The parser has now been extended to filter out those options not needed, used or supported by the OpenVPN 3 Core Library. * Improvements: Adjustments needed to satisfy Debian packaging Several minor issues has been done to satisfy the Debian package linter utility. There are still some issues left, some will not be possible to improve before Debian ships with a newer dbus-daemon - as we need functionality present in a newer release. The dbus-broker is also lacking a similar functionality currently. This work is also done in collaboration with Marc Leeman who is working on providing an native Debian repo package for OpenVPN 3 Linux. Thanks a lot, Marc! Details: <#193> * Feature: Label/tag support for imported OpenVPN configuration profiles The OpenVPN 3 Configuration Manager and the openvpn3 config-manage and configs-list commands has been extended to with the ability to add one or more text labels to configuration profiles. At import time, the openvpn3 config-import command can also assign tags immediately. Users with many imported configuration profiles can more easily filter which configurations shown with the openvpn3 configs-list command. Other tools (openvpn3-as, openvpn-connector-setup) will also make use of this feature as they are being updated, to more easily understand where a configuration profile arrived from. * Feature: JSON formatted output with openvpn3 configs-list and config-dump The list of configurations can now be retrieved as a JSON formatted list via the openvpn3 configs-lists. The openvpn3 config-dump will normally dump the normal configuration using the standard OpenVPN configuration file format. The JSON format will contain all the additional meta options, overrides and access control lists not expressed in the standard file format. This format is the same format used internally for persistent configuration profiles. * Feature: Filtering options when retrieving available configurations The openvpn3 configs-list command has been extended with several filter arguments to only extract filters with a specific tag or owner as well as a simple prefix filter on the configuration name. The OpenVPN 3 Configuration Manager also exposes two new D-Bus methods to retrieve available configuration profiles based on a tag or owner. * Feature: Simple and verbose list formats in openvpn3 configs-list The default listing in openvpn3 configs-list has been simplified and will only list one configuration profile per line now. The more comprehensive list can be retrieved using the --verbose argument. The verbose list will also include configuration tags. ---- Changes from v20 to v21 ------------------------------------------- Antonio Quartulli (2): ovpn3cli/init-config: use namespace NetCfg::DNS also if no systemd is available netcfg-dco: remove code made obsolete by ovpn-dco-v2 David Sommerseth (128): Update GitHub pull-req template configmgr: Add override caching to OpenVPN3ConfigurationProxy::GetOverrides() configmgr: Extend Configuration Proxy with GetOverrideValue() ovpn3cli/config: Explicitly provide DNS Resolver Scope setting netcfg/dns: Enable default DNS routing when scope is global netcfg/dns: Document the NetCfg::DNS::systemdResolved::updateQueueEntry properties build: Fix improper cleanup aws: Remove execute flag on systemd unit file log: Save a flag for changed properties in LogServiceProxy log: Extend LogServiceProxy to track what the original value was ovpn3cli/admin: Refactor log-service command docs: Improve doxygen setup common: Add missing header file in lookup.hpp netcfg/dns: New method - ResolvConfFile::GetNameServers() ovpn3cli: Extend init-config to also consider /etc/resolv.conf log: Extend LogMetaDataValue to handle integers log: Parse the O3_INTERNAL_METHOD meta data log: Extend Logger with GetLogTagPtr() method log/service: Refactor out log detaching logic to separate method log/service: Enable automatic cleanup of stray subscriptions python: Fix ConfigParser.ReadConfigFile not removing semicolon comments Update to OpenVPN 3 Core library v3.8 baseline client: Check if the configuration is DCO compliant before start vendor: Update to ASIO 1.28.0 log: Add caller PID to Attach/Detach calls docs: Remove Linux distributions which is no longer supported log: Strip double {tag:...} references in openvpn3-admin journal output core: Update to latest OpenVPN 3 Core 3.8 related changes ovpn3cli: Add --exists and --quiet to config-manage configmgr: Add missing #include<dbus/path.hpp> docs: Add missing configmgr description: SetOverride/UnsetOverride configmgr: Add support for assigning tags to config profiles configmgr: Preserve configuration profile tags on disk configmgr: Return gracefully if a method call is not processed configmgr: Expose C++ method for checking config profile tags configmgr: Add D-Bus method to search for config profile tags configmgr/proxy: Extend proxy object with tag management ovpn3cli: Show config profile tags in config-manage configmgr/proxy: Improve tag management error handling in proxy object ovpn3cli: Add tag management to config-manage ovpn3cli/config-manage: Consider --quiet in all informational output configmgr/proxy: Make tag prefix 'system:' reserved python: Extend Configuration implementation with tag management python: Implement SearchByTag() in ConfigurationManager object python: Extend ConfigurationManager.Import() to add system tags python/openvpn3-as: Add an openvpn3-as specific system tag on import configmgr: Refactor ConfigManagerObject D-Bus method call handler configmgr: Refactor ConfigurationObject D-Bus method call handler configmgr: Rework the config profile usage counter check logic configmgr: Replace __FUNCTION__ macro in GLibUtils calls core: Switch to OpenVPN 3 Core version 3.8 configmgr: Reorder #include files configmgr: Remove stray handler_fetch_json() method configmr: Refactor g_variant_get() calls, use GLibUtils instead dbus/glib: Extend GVariantBuilder helpers with type override configmgr: Refactor std::vector D-Bus return values to use GLibUtils configmgr/proxy: Refactor g_variant_get() calls, use GLibUtils instead dbus: Extend GLibUtils with ParseGVariantList() configmr/proxy: Refactor proxy code retrieving D-Bus arrays ovpn3cli: Add --filter-config to configs-list command configmgr/proxy: Extend proxy object with tag search ovpn3cli: Add --filter-tag to configs-list command configmgr: Add D-Bus method to search for profiles by specific owner configmgr/proxy: Extend proxy object with SearchByOwner() ovpn3cli: Add --filter-owner to configs-list ovpn3cli: Add --count to configs-list ovpn3cli: Improve configs-list output client: Do not reset empty env array in backendstart core: Update to OpenVPN 3 Core library v3.8.1 dbus: Clean up odd init booleans in DBusProxy dbus: Cleaning up impropoer DBusProxy internal proxy pointers freeing dbus: Remove the DBusProxy() constructor accepting DBus() objects dbus: Protect DBusProxy::proxy pointers changes better ovpn3cli: Fix signedness comparison issue in cmd_config_manage() netcfg: Fix improper use of std::move() variables in NetCfgProxyException dbus: Fix copy-paste error in DBusProxy destructor configmgr: Use a better data type for timestamps in JSON Export() netcfg/unit: Add DNSResolverSettings.AddNameServer_multiple test netcfg/dns: Replace RC/RCPtr with std::shared_ptr in ResolverSettings netcfg/dns: Be consistent with for-iterators in SettingsManager dbus: Add more details when dbus_proxy_call() fails dbus: Fix incorrect use of proxy object in DBusProxy::GetNameOwner() build: Add a few missing #include files netcfg/dns: Improve details on file removal in FileGenerator::Write() netcfg/dns: Catch and report errors in ResolvConfFile::~ResolvConfFile() netcfg: Check fd properly before close() in NetCfgServiceObject::protect_socket() common: Fix potential memleak in SingleCommand::parse_commandline() common: Fix incorrect arg passing in Configuration::OptionMapEntry common: Fix incorrect lambda arg passing in Configuration::File docs: Fix incorrect signal signature for netcfg.NetworkChange ovpn3cli/configs-list: Add --json output format build: Do not distribute ovpn-dco header as part of openvpn3-linux configmgr: Use Json::Value::UInt64 instead of uint64_t dbus/glibutils: Don't initialize std::stringstream configmgr: Check override type as well as D-Bus type in set_override() configmgr: Add missing #include in overrides.hpp configmgr: Fix incorrect set_override() declaration configmgr: Fix lacking config override value extraction configmgr/tests: Update config-override-selftest exception checks python: Add support for --ignore-unknown-option in openvpn2 core/config: Extend OpenVPN Access Server configuration support core/config: Filter out meta-options in OptionListJSON::json_export() tests: Add unit test for OptionsJSON string and JSON export methods common: Extend ParsedArgs::Present(std::vector<>) to optionally return empty string ovpn3cli: Don't throw an exception in config-manage if operation is not found python: Fix typ0 in error message with incorrect override key python: Move supported profile overrides definition python: Ensure --profile-overrides is not put into generated config python: Add support for allow-compression profile override setting ovpn3cli/config: Move openvpn3 config-import into a separate compilation unit ovpn3cli/config: Extend JSON schema used by config-dump --json python: ConfigParser does not process boolean overrides correctly python: Add support for dns-scope profile override in ConfigParser core: Update to OpenVPN 3 Core library v3.8.2 configmgr/proxy: Add framework for backend feature checking configmgr/proxy: Add CfgMgrFeatures::TAGS checking ovpn3cli/config: Add feature check for configs-list and config-manage configmgr/proxy: Add forcing feature loading in the OpenVPN3ConfigurationProxy ovpn3cli/config: Add --tag support to config-import ovpn3cli/config: Fix typo in JSON key for transfer_owner_session ovpn3cli/config: Add missing feature check in config-dump proxy: Fix incorrect version extraction logic with non-service root paths build: Rework the OpenVPN 3 Core library version macro (OPENVPN_VERSION) python: ConfigParser does not accept --bind python: ConfigParser did not accept dns-fallback-google and persist-tun overrides docs/man: Use the proper section tag in openvpn3-systemd.8 misc: Fixing several typ0s all over the code base docs: Minor touches to README and BUILD docs Frank Lichtenheld (1): docs/man: Fix description in openvpn3-config-manage man page Jeremy Fleischman (1): python: Fix StatusChangeCallback() so it works without a LogCallback
OpenVPN 3 Linux v20 (stable) This is the first stable relase of OpenVPN 3 Linux. This release is mostly adding minor improvements, a few bug fix and adding two more helper tools. * Feature: openvpn3-admin journal This is a helper function to retrieve log events from the OpenVPN 3 Linux stack logging with systemd-journald. It can be considered a lightweight journaldctl tool, which is targetting some of the filters useful for OpenVPN 3 Linux. * Feature: openvpn3-admin init-setup This is another helper function to configure OpenVPN 3 Linux in an automated fashion based on the current runtime environment. It will ensure proper state directories are present with the proper ownership and access, as well as SELinux context lables if that is availale. It will check if the needed user/group accounts is present and wether to use systemd-journald and systemd-resolved or not. In the next release, this feature will be used in the the packaging scripts for Debian/Ubuntu and Fedora/Red Hat Enterise Linux packaging as well. * Improvement: Full support for CR_TEXT based multi-factor authentication Prior releases did not fully support CR_TEXT/crtext based authentication which would result in disconnecting from the server while querying the user for the additional credentials. This new mode is more efficient and will keep the connection to the server alive. * Improvement: Improve behaviour with incorrect private key passphrase Prior releases would dump an error message which would not be much end-user friendly if the connection failed due to incorrect passphrase to the private encryption key needed for the connection. This has been improved and the error handling should be more clear for non-technical users. * Improvement: Run resume and restart operations in the background Until now, the openvpn3 session-manage --resume and --restart operations would run in the foreground, resulting in stopping the VPN session if this operation would be interrupted. These operations can typically run in the background. If a re-authentication would be need, the openvpn3 session-auth command is available to complete that operation. It is also possible to run these operations in the foreground by adding the --timeout argument with a value reasonable to wait for this operation to complete. * Improvement: Install openvpn3/constants.h header file This adds ah eader file which contains all the constants used by the OpenVPN 3 Linux stack, which is suitable for C programs. The constants listed here is similar to the constants found when importing the Python 3 openvpn3.constants module. These constants are typically used in D-Bus signals issued by the OpenVPN 3 Linux stack. * Bugfix: Don't hardcode use of --journald in openvpn3-service-logger Not all Linux distributions ships with the systemd stack. Auto-detect during build time if systemd support is available or not and fallback to syslog if systemd support is lacking. * Bugfix: Don't hardfail if systemd-resolved is unreachable If openvpn3-service-netcfg could not reach or access the systemd-resolved service, it would hard-fail which again would cause the VPN session to fail starting. This has been changed so the VPN session will succeed, but it will instead not do the DNS configuration. This situation will be duely logged in the system logs. * Documentation: Highlight deprecation of openvpn3-autoload The openvpn3-autoload feature is being deprecated in favour of using the systemd openvpn3-session@.service feature instead. The openvpn3-autoload feature will still be around though, until there is a suitable alternative for Linux distributions not capable of using the more native systemd approach. * Documentation: Generic overhaul Lots of the man pages as well as README.md file has been reviewed and updated. Lots of details has been clarified and the README.md has been split up into several files as it has grown quite a lot and some of the information would be better to have in other files to avoid duplicating the information. * Code: Coding style There exists now a .clang-format coding style definition and all the C++ source code and headers should now be using this style. * Copyright: Switch to SPDX license tags To ease the maintenance of copyright blobs, all files with an AGPL copyright blob has been switched to the SPDX license tag.
OpenVPN 3 Linux v19 (beta)
This release does another round of improving the logging system,
in addition to bug fixes and other improvements.
* Log system changes
The net.openvpn.v3.log service has been extended to support logging
directly to systemd-journald as an alternative to syslog. The
default log destination has been changed from syslog to journald.
Using the systemd-journald as the log destination allows attaching
more meta data variables to the log events, which can be used when
querying the journal using journalctl. These additional meta data
variables can be observed when using the 'verbose', 'json',
'json-pretty' or 'export' output modes (journalctl --output)
The OpenVPN 3 Linux specific meta data variables are prefixed with
"O3_". The meta variables OpenVPN 3 Linux may make use of are:
- O3_LOG_GROUP / O3_LOG_CATEGORY
These are direct mapped to the logging classification described
here: <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/dbus/dbus-logging.md>
- O3_LOGTAG
This tag is unique per openvpn3-service-* process and will be
changed if the process restarts. This information has so far
been added to the beginning of the log lines, as the '{tag:....}'
prefix. This prefixing to the log lines can now be removed by
running:
# openvpn3-admin log-service --enable-log-prefix false
The O3_LOGTAG will have the same content as the prefix, without
the '{tag:...}' encapsulation; O3_LOGTAG contains only the plain
identifier. The log tags currently active can be listed by
running:
# openvpn3-admin log-service --list-subscriptions
- O3_SENDER, O3_INTERFACE, O3_OBJECT_PATH
These are added if the D-Bus log details are enabled by running:
# openvpn3-admin log-service --dbus-details true
- O3_SESSION_TOKEN
This is used by the openvpn3-service-client process, where the
session token has the same value as the argument the process
is started with
To list only these OpenVPN 3 Linux meta variables, run this
command:
# journalctl -o verbose --since today \
--output-fields=O3_SENDER,O3_INTERFACE,O3_METHOD,O3_OBJECT_PATH,O3_LOGTAG,O3_SESSION_TOKEN,O3_LOG_GROUP,O3_LOG_CATEGORY,MESSAGE \
_PID=$(pidof openvpn3-service-logger)
This query can be extended further to narrow down the log scope.
To only list client process log events, add this to the line
above: O3_LOG_GROUP=Client
* Enhancement: IV_PLAT_VER sent to server
This field provides OS details of the platform the OpenVPN 3 client
is running on. This will contain an arbitrary string provided by
either the systemd-hostnamed service, or if that is unavailable it
will extract some more generic information using the uname()
system function.
The IV_GUI_VER string has also been slimmed down a bit to only
provide information about the OpenVPN 3 Linux client alone. The
IV_VER will contain information about the OpenVPN 3 Core library
version which OpenVPN 3 Linux is compiled against.
* Update to OpenVPN 3 Core Library v3.7.1
This update of the OpenVPN 3 Core library is a maintenance release.
The changes which touches OpenVPN 3 Linux is related to the ovpn-dco
kernel module support. On systems running more VPN sessions in
parallel with DCO (Data Channel Offload) enabled, the Core library
could in some situations perform operations on the wrong DCO
interface.
* Bugfix: Web based authentication with OpenVPN Access Server fix
When connecting to OpenVPN Access Server configured with web based
authentication (i.e. SAML), the authentication could fail on
renegotiations. The fix currently applied will require to import
the Access Server profile once again. This will be improved
further in the next release.
<#154>
* Bugfix: Python warning with openvpn3-as on Ubuntu 22.04
When running the openvpn3-as utility on Ubuntu 22.04 it would complain
about using a deprecated ssl.SSLContext() mode. This has
been updated to use the preferred mode.
* Bugfix: openvpn3 command line bash-completion
The bash-completion support has been changed to avoid adding an
additional space after file and directory names.
The complete list of changes:
David Sommerseth (74):
tests: Improve MachineIDTest::get_systemd_api test
build: Split up proxy-netcfg into a manager and device compilation unit
core: Update to latest OpenVPN 3 Core Library 3.7 development
shell: Fix proposing more options to --config shell completion
shell: Fix trailing spaces in bash-completion
build: Generate C compatible header file
dbus: Add missing #include in glibutils.hpp
log: Move LogTag into its own compilation unit
log: Extend LogTag to enable/disable the tag mark encapsulation
log: Extend LogTag with copy constructor
log: Add new helper classes for log meta data
log: Implement the new meta data log handling
log: Extend LogMetaDataValue to process LogTag objects
log: Extend LogMetaData with GetMetaDataRecords() method
log: Use LogTag in Logger class instead of std::string
common: Allow setting default filename in Configuration::File ctor
common: Extend Configuration::File with Get/Set for more data types
log: Re-implement configuration state saving
log: Switch to GLibUtils::ExtractValue in LogEvent
log: Implement LogTag prefix configuration setting
log: Extend LogEvent with LogGroup/Category string extraction
log: Add support for native systemd-journald logging
log: Implement systemd-journald support in openvpn3-service-logger
log: Split logwritter.hpp into its own compilation unit
log: Split out StreamLogWriter and ColourStreamWriter
log: Split out SyslogWriter to its own compilation unit
log: Split out JournaldWriter to its own compilation unit
log: Final change of the logwriter.hpp split-up refactoring
log: Extend LogWriter API to provide backend info
log: Extend net.openvpn.v3.log interface with log_method property
cli/log: Provide information about logging method in use
cli/log: Add admin --enable-log-prefix config setting
log: Fix memory corruption with syslog/openlog()
log: Rework initial opening information in logger service
common: Extend Configuration::File with GetFilename()
log: Extend state/config file option coverage
log/logger: Simplify exclusive option check
log/logger: Rework configuration/state loading
log/logger: Extend with D-Bus property for config_file
common: Add missing include files in cmdparser-exceptions.hpp
cli/log: Add new options for logger config file management
logger: Enable --journald as default log method
build: Don't use space in PACKAGE_NAME
docs/man: Add missing --auth-req option in openvpn3 session-auth
docs: Added GitHub pull-request template
log: Avoid halting logger startup on missing log-service.json
dbus: Make bus_name and interface protected members in DBusProxy
dbus/proxy: Check if property proxy is configured
dbus/connection: Add extra connection tests in DBus constructors
common: Add PlatformInfo API
client: Send platform OS/distro peer information to server
client: Simplify IV_GUI_VER string
utils: Fix incorrect string concat in get_guiversion()
tests/unit: Handle PlatformInfo::DBus error gracefully
python: Use ssl.PROTOCOL_TLS_CLIENT in openvpn3-as
configmgr: Initialise all members of ConfigurationObject class
common: inline optparser_mkline function in core-extensions
build: Fix clang++ warnings related to __LINE__ usage
sessionmgr: Remove not needed namespace reference
build: Fix missing override issues in logging and netcfg-signals.hpp
log: Remove not used class variable in LoggerProxy
log: Add virtual destructor in LogTag
log: Pass the LogTag objects as smart pointers
tests: Extend LogMetaData unit tests (LogMetaData, LogMetaDataValue)
client: Add workaround for OpenVPN Access Server web authentication
tests/core: Extend profilemerge-optionlist with dump functionality
ovpn-dco: Update to latest headers
docs: Add details about nscd and sssd
log: Fix lacking LogWriter::AddMeta() doxy doc
log: Fix missing O3_LOGTAG meta data variable
cli/log-service: Fix incorrect change detection for log prefixing
cli/log-service: Correct the behaviour with journald and D-Bus details
distro: Improve openvpn3-session@.service unit
core: Update to OpenVPN 3 Core Library v3.7.1
Jagadeesh Kotra (1):
docs/client: fix typo in net.openvpn.v3.client docs
Raphael Mader (1):
log: Fix non-systemd build
INTERNAL: Using latest openvpn3-core/released branch This contains just a few minor cosmetic changes (copyright updates)
OpenVPN 3 Linux v18 (beta) This release does a larger overhaul on the logging system with a few additional bug fixes and other improvements. * Log system changes In prior releases, the backend VPN client (openvpn3-service-client processes) sent Log signals (events) to the log service (openvpn3-service-logger process). If a user wanted to receive real-time log events, it could easily do so by flipping a boolean flag in the VPN session, managed by the session manager (openvpn3-service-sessionmgr process). In this case, the session manager would also pick up Log events from the VPN client and forward them. This architecture had a flaw which meant that if the log forwarding in the session manager was enabled for a session, anyone could pick up these log events. And if one of these log listeners turned off the log forwarding, this would happen for all other listeners at once. This design also meant that the VPN client process needed to send Log events to two different destinations; both the logger and the session manager. With the change introduced in v18_beta, the VPN client process now only sends Log events to the logger service. When a user wants to receive log events now, it needs to call the net.openvpn.v3.sessions.LogForward() method setting an enable flag instead of flipping the receive_log_events boolean property directly. The session manager will now do a proper access control to the caller and then tell the log service to forward Log events directly to the program wanting to receive Log events. To disable this forwarding, the program just calls the same method and unset the enabling flag. This new architecture also allows multiple log forwarders to run in parallel without impacting the other listeners. Each forwarding are now handled independently. And forwarding Log events will no longer impact the session manager any more. * Enhancement: openvpn3-as profiles can be started via systemd In v16_beta a new systemd unit file was introduced to make it possible to manage VPN sessions via systemd. With v18_beta this integration has been extended to the openvpn3-as utility which can download a VPN profile directly from an OpenVPN Access Server. When run as root, two new options can be used: --systemd-start and --owner. The first one will instruct openvpn3-as to enable the imported configuration profile to be started automatically during boot. The --owner takes a username argument, which, when run as root, will transfer the ownership of this VPN profile to the given username. When the VPN session is started as root, the session will automatically also be owned by the given user. * Bugfix: openvpn3 session-start with web based authentication The instruction guide to help continue with web based authentication was misleading and no longer correct. This has been improved and the console now contains the correct instructions. * Bugfix: Configuration manager could mangle --verify-x509-name When importing a configuration file with the --verify-x509-name option, it would often be misinterpreted when the import was as a persistent configuration profile. This has been resolved and the internal on-disk storage format for persistent configuration profiles has been upgraded to correctly handle this type of option class, with quoted strings. <#90> * Bugfix: openvpn3-service-configmgr could segfault If the oepnvpn3-service-configmgr could not manage to reach the net.openvpn.v3.log service (openvpn3-service-logger), it would segfault resulting in a core dump needlessly. This has been resolved by adding proper error handling and gracefully exit with a more reasonable error message. * Bugfix: Network Configuration state saving failing silently When the Network Configuration service (openvpn3-service-netcfg) configuration was to be written to disk and failing, the prior implementation ignored any errors happening. This has been improved and the error is now presented to the user if there is an error saving the configuration file. * Bugfix: Python based config parser can now handle legacy algorithms The v17_beta release introduced a --enable-legacy-algorithms flag to be set on a configuration profile. This worked fine via the openvpn3 config-manage interface, but the Python parser lacked the parsing of this option. This has now been implemented, via the --profile-override option. * Bugfix: Python based config parser did not accept --auth-nocache The --auth-nocache is not a feature directly available in OpenVPN 3 Core library. But it does not block a configuration file from working, so this was put to the internal "ignore list". * Bugfix: openvpn2 could some times dump spurious error messages If CTRL-C was performed during the shutdown phase of a VPN session, where it would typically wait for statistics data to be collected it, could print various errors about local variables being unavilable. This has now been improved. The complete list of changes: David Schneider (1): docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs David Sommerseth (79): core-extension: Revamp the whole OptionListJSON class core-extension: Remove the ProfileMergeJSON class ovpn3cli: Improve session-start tip with URL auth python: Add support for enable-legacy-algorithms in config parser python: Extend openvpn3.Configuration class with GetConfigName() python: Extend openvpn3.Configuration class with SetOwnershipTransfer() python: Extend openvpn3-as with systemd integration python: Extend openvpn3-as with --owner log/proxy: Switch over from RCPtr to std::shared_ptr log/proxy: Add LogServiceProxyException exception class log/proxy: Add LogServiceProxy::AttachInterface() helper function configmgr: Switch over to LogServiceProxy::AttachInterface() sessionmgr: Switch over to LogServiceProxy::AttachInterface() netcfg: Switch over to LogServiceProxy::AttachInterface() client: Switch over to LogServiceProxy::AttachInterface() addons/aws: Switch over to LogServiceProxy::AttachInterface() python: Add --auth-nocache to ConfigParser's ignore list python: Fix spurious errors during disconnect in openvpn2 common: Add error handling to Configuration::File::Save() dbus: Fix various warnings in connection.hpp dbus: Fix/improve header inclusion in signal.hpp client: Add missing include dbus-log.hpp in backend-signal.hpp log: Fix several spelling errors in comments in logwriter.hpp log: Remove the openvpn namespace and improve includes in dbus-log.hpp build: Rework distro/systemd EXTRA_DIST file list python: Allow --auth-retry to be passed on tests: Fix incorrect namespace closing in machine-id test build: Disallow AWS addon builds without OpenSSL build: Remove hard-coded gio-unix-2.0 include paths common: Fix missing header include for UID/GID lookups dbus: Remove the openvpn namespace from DBus related classes dbus: Extend DBus class with GetUniqueBusName() dbus: Ensure the D-Bus connection is valid dbus: Make path.hpp a separate compilation unit dbus: Free some GError structures in DBusProxy calls log: Refactor service.hpp to be a separate compilation unit log: Replace RC/RCPtr based smart pointers with standard C++ log: Make dbus-log.hpp a separate compilation unit log: Don't log or proxy empty log events dbus: Extend with DBusSignalProducer::set_object_path() client: Extend with BackendSignals::SetSessionPath() client: Extend RegistrationConfirmation D-Bus method with session path client: Extend BackendSignals with GetSessionPath() method client: Provide related session path as a property log: Implement net.openvpn.v3.log.AssignSession client: Provide session path details to log service log: Extend D-Bus logging with path filtering log: Extend LogSender with ProxyStatusChange() method log: Extend Logger class with LogSender forwarding support log: Extend log forwarding to also include StatusChange signals log: Implement base LoggerProxy class log: Implement ProxyLogEvent method and D-Bus proxy helper class log: Implement the LogForwardBase helper class sessionmgr: Tear out the current SessionLogEvent implementation log: Implement proper access control in LoggerProxy sessionmgr: Re-implement log forwarding to end-users log: Re-implement LogForwardBase to request forwarding via session manager sessionmgr: Fix incorrect #include fencing ovpn3cli: Re-implement log command with new logging infrastructure log: Implement LogEvent::RemoveToken() log: Remove session token from forwarded log events python: Rework openvpn3.SessionManager for the new logging infrastructure python: Update openvpn2 to properly disable logging on shutdown distro/systemd: Disable log forwarding properly on shutdown build: Install D-Bus policies in ${datadir}/system.d dbus: Extend DBusSignalProducer with SendTarget() method log: Extend LogSender::Log() with an optional target address client: Rework BackendSignals to avoid Log signal duplication dbus: Extend GLibUtils with CreateEmptyBuilderFromType() log: Extend LogSender with GetLastLogEvent() client: Extend internal session object with last_log_line property sessionmgr: Re-implement last_log session object property vendor: Upgrade ASIO to 1.22.1 dco: Upgrade to latest ovpn-dco git master policy: Add a mandatory D-Bus policy for Log and StatusChange signals docs: Update README with dependencies and distro changes docs: Improve the net.openvpn.v3.log docs slightly docs/README: Add info about systemd unit file docs/README: Fix a few minor details Jagadeesh Kotra (1): docs: Fix missing information for net.openvpn.v3.configuration.Import
docs/README: Fix a few minor details - IRC service has changed to libera.chat - Fix a silly typo Signed-off-by: David Sommerseth <davids@openvpn.net>
PreviousNext