mirror of
https://github.com/deneraraujo/OpenVPNAdapter.git
synced 2026-04-24 00:00:05 +08:00
Sergey Abramchuk
5edb23a7ab
275cf80efb mac/tuncli: Don't take address of temporary error. 1406187bfc tun/win/tunutil: Don't auto& a temporary iterator. fe7f984c5d ip/ping6: Use _WIN32, not _MSC_VER (to fix MinGW). 03a906771e win: add OpenSSL as solution configuration 89cc11b300 win: enable building Windows client with OpenSSL febb24e7d9 openssl/compat.hpp: remove functions already defined in OpenSSL 0833eb1f76 linux/tunsetup: Fix missing asio/errinfo declaration d54b742910 linux: Improve cpu_time() using glibc/kernel methods a55fe2b554 tests: Added unit test for linux/cputime.hpp e33a00e6de [OVPN3-431] agent: Wintun support for agent 42592eb1b1 appveyor: initial commit 3e3f2078e6 win: rename env var in project file a2496a3616 Wintun: experimental support 58a7866b45 build script: added OPENSSL_DIST parameter to specify a custom OpenSSL build 288ea0277e OpenSSLContext: SSL_CTX_set_ecdh_auto() becomes a no-op in OpenSSL 1.1, so #ifdef out to avoid compiler warnings 3ef5059fa6 TLSSessionTicketBase: removed the ERROR symbol from a local enum in case it conflicts with a global preprocessor symbol 3364ed76b8 TLSSessionTicketBase: removed trailing comma from Status enum 025c7bad88 mbedtls/sslctx: Fix missing override in virtual methods 6cb3243681 mbedTLS: ssl() method accepting hostname should check if it is null ca31da7d28 bio_memq_stream.hpp: fixed multi-thread race (introduced with OpenSSL 1.1 support) using init_static() approach 2deb402223 OpenSSLContext::tls_ticket_key_callback: get self with SSL_get_ex_data instead of ssl->ctx->app_verify_arg eec139a100 MSF::find: renamed template type names to avoid conflict with preprocessor symbol (ITER) in test/ssl/proto.cpp 1024d37f33 str_neq: fixed bug where neq was not initialized c00b6f6302 Listen::List: refactored and extended expand_ports() 448c549a0b cpu_time(): added bool thread parameter to return CPU time of current thread (instead of process) 868801d7d9 Linux library: added cpu_time() method to return the CPU time of the current process 964d2cd428 SSL layer: added did_full_handshake() method and implemented for OpenSSL dd18d6c806 crypto::str_neq: use atomic_thread_fence(std::memory_order_acq_rel) instead of OPENVPN_COMPILER_FENCE 6a30af9528 OpenSSLSessionCache: use map instead of unordered_map 3ecbcbc81b OptionList: fixed compile errors that occur when get_num<T>() is used with a const type 72e9f858e4 SSL: added SSLConst::PEER_CERT_OPTIONAL flag and implemented for OpenSSL 33f15c8840 OpenSSL: use OPENSSL_VERSION_NUMBER instead of SSLEAY_VERSION_NUMBER cadb712ea9 ProfileMerge: added "static-key" to is_fileref_directive() 85befa316a TLS session tickets: work around an issue in OpenSSL session ticket keying callback f43c4c1440 TLSSessionTicketBase: misc fixes/enhancements c5f4d59d39 OpenSSLContext: added missing X509_free() to rebuild_authcert() 658fcc50eb OptionList: added get_num methods with min/max but no default 162eeaa485 SSL layer: added RFC 5077 TLS session resumption ticket support e0a821ddd6 OpenSSLContext: use C++11 member initializers 1ea5acce3c OpenSSLContext: minor changes to handshake_details() 74c0a4f995 string: added copy_fill() method 3e5921c06d AuthCert: added is_uninitialized() method 3d6b6b2319 library: added convenience method MSF::find() for maps/sets 18f5f4d1b5 SSLConfigAPI: remove set_enable_renegotiation() 18dcfd616c Added crypto::str_neq() function for securely comparing variable-length strings 4fc5725b9e RunContext: added get_servers() method ae22f155fd server: determine when server-side session ID should be preserved on soon-to-be-closed connections 5e34759d50 client: HALT/RESTART message was not properly purging the Session ID when required e1647eb407 Fix builds with GCC 4.8 compilers b55f78dd1d test_sitnl.cpp: account for old iptools output 236d39258b Allow overriding DEP_DIR by environment variable d56e049ea4 Refactor dependencies to be in a cmake script e9dc75ec90 sitnl: add unit tests faad8454be sitnl: pick the best gw by longest prefix and lowest metric dfcc4bc437 [OVPN3-354] cli.cpp: support for round-robin DNS and redirect gw 8a502f3b61 [OVPN3-354] tun linux: support for round-robin DNS and redirect gw c9315c7dc1 gwnetlink.hpp: specify destination when looking for gateway 89f091daf0 sitnl: implement interface filtering when looking for gateway 220de072a2 sitnl: support for multipart messages 5771dfc0ee transport: remove ip_hole_punch API d448b4a7db tun/builder/client.hpp: use "override" method specifier d85e92621d Make reproducible builds possible 7150f72e09 tun: remove code duplications in Linux tun implementations 8112f0cd7c [OVPN3-378] cli: support for TunBuilder API 6f0e9f6388 Fix Asio 0003 patch. 964662bacb Add /bigobj to build.py 74e40a8907 Upgrade ASIO to 0.13.0 a2713ce1f6 PureTLS: enable SNI by default when configuring client 19a44dbdda Merge branch 'qa' a5fdf43726 InitProcess: comment clarification that crypto_init declaration causes SSL library init when instantiated dec3bc140e OpenSSL: Revert a commit that breaks OpenSSL initialization 16a4e3d4a7 [OVPN3-405] asio: A quick fix for incorrect error message encoding aa785c30c1 Fix Base64::UCharWrap compiler warnings 51a1469e6b Merge various fixes 218cfa39cb Explicitly disable TAP support when parsing configurations 3a0e768ecd Explicitly disable any potential TAP support aba98471fc Fix base64 unit test with mbedtls and windows 9f84174f0b Add unit tests for Base64 017bc545ce Add base64 decode for void* data 452a353b2d Fix lzo build script to use it as dependency for the unit tests dfdd528dc1 Convert unit test to Googletest bd9ee482e6 Add copyright header to test_comp 059f20f2b2 Move compression unit test from common to core repository 5a024cde5c Added Snappy corpus for testing compression/decompression. ec4d400933 Add compatibility functions for OpenSSL 1.1.0 9768562a01 OpenSSL 1.1: Add argument to external sign to specify algorithm 1bbd2cc78c OpenSSL 1.1: Replace RSA_F_RSA_EAY_PRIVATE_ENCRYPT with Openssl variant c959a3cff0 OpenSSL 1.1: Replace remaining direct access to members 4307f024ca OpenSSL 1.1: And missing remaining compat implementations 3385c45151 OpenSSL 1.1: Use opaque pointer for HMAC_CTX f29453f4ca OpenSSL 1.1: Add compat includes for HMAC c107a1f6ab OpenSSL 1.1: Remove support for OpenSSL older than 1.0.0 024a10adc2 OpenSSL 1.1: Use EVP_MD_ctx as opaque pointer 35d82906c4 OpenSSL 1.1: Change EVP_CIPHER ctx field to pointer ebf4b7e87d OpenSSL 1.1: Use X509_digest to get certificate digest 7d3e5d02f2 OpenSSL 1.1: Use SSL_get_ex_data instead of direct access 8717f822ca OpenSSL 1.1: Replace ctx->current with X509_STORE_CTX_get_current_cert 67fbe1ab3f OpenSSL 1.1: Use X509_check_purpose to check certificate types 7b5a92d58e OpenSSL 1.1: Change OpenSSL TLS version logic to match mbed TLS c28b7d1893 OpenSSL 1.1: Adjust default OpenSSL cipher suites f108044a09 OpenSSL 1.1: Add defines for TLS 1.3 in tlsver.hpp ee1308b505 OpenSSL 1.1: Replace initialisation of RSA_meth with access method 905d681af1 OpenSSL 1.1: Use standard tls methods cf28e4600c OpenSSL 1.1: Change BIO wrappers around to use access methods 5e6571163d OpenSSL 1.1: Implement compat methods for new BIO methods in 1.0.2 8837539a73 Use std::nothrow as argument for new e6ec025932 Merge branch 'qa' 752a38c067 [OVPN3-397] size.hpp: wrap typedef in guards d4e50f8c54 Merge branch 'qa' d8d14e1991 [UCONNECT-1027] implement ResolveThread and ensure it is properly detachable 525a9a88a6 Merge branch qa 30ea53cb92 Replace custom memcpy implementation de7c672ee7 Workaround for compiler bug in memneq 84fcecd5e7 Fix missing override annotation in udp/tcp/httpcli 1a3a69a496 [UCONNECT-1027] use one AsioWork object for the whole pre-resolve opertation c4cbf93f9b Revert "[UCONNECT-1027] remotelist: create standalone object for resolve thread" 6ef089164e Allow unit tests to be also compiled with mbed TLS and on Windows 7c67bf7f50 Add unit tests for route emulation and establish common test suite 64a7b2f124 Add build file for core unit tests 0a0d080a49 Implement allowing local LAN access 2105b4b7c0 Fix Android route exclusion emulation git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn git-subtree-split: 275cf80efb7a08adc920f7ca49075c776e596b08
1169 lines
31 KiB
C++
1169 lines
31 KiB
C++
// OpenVPN -- An application to securely tunnel IP networks
|
|
// over a single port, with support for SSL/TLS-based
|
|
// session authentication and key exchange,
|
|
// packet encryption, packet authentication, and
|
|
// packet compression.
|
|
//
|
|
// Copyright (C) 2012-2017 OpenVPN Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License Version 3
|
|
// as published by the Free Software Foundation.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program in the COPYING file.
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
// tun interface utilities for Windows
|
|
|
|
#ifndef OPENVPN_TUN_WIN_TUNUTIL_H
|
|
#define OPENVPN_TUN_WIN_TUNUTIL_H
|
|
|
|
#include <openvpn/common/socktypes.hpp> // prevent winsock multiple def errors
|
|
|
|
#include <windows.h>
|
|
#include <winsock2.h> // for IPv6
|
|
#include <winioctl.h>
|
|
#include <iphlpapi.h>
|
|
#include <ntddndis.h>
|
|
#include <wininet.h>
|
|
#include <ws2tcpip.h> // for IPv6
|
|
#include <tlhelp32.h> // for impersonating as LocalSystem
|
|
|
|
#include <string>
|
|
#include <vector>
|
|
#include <sstream>
|
|
#include <cstdint> // for std::uint32_t
|
|
#include <memory>
|
|
|
|
#include <tap-windows.h>
|
|
|
|
#include <openvpn/common/to_string.hpp>
|
|
#include <openvpn/common/size.hpp>
|
|
#include <openvpn/common/exception.hpp>
|
|
#include <openvpn/common/socktypes.hpp>
|
|
#include <openvpn/common/string.hpp>
|
|
#include <openvpn/common/stringize.hpp>
|
|
#include <openvpn/common/action.hpp>
|
|
#include <openvpn/common/uniqueptr.hpp>
|
|
#include <openvpn/buffer/buffer.hpp>
|
|
#include <openvpn/addr/ip.hpp>
|
|
#include <openvpn/tun/builder/capture.hpp>
|
|
#include <openvpn/win/reg.hpp>
|
|
#include <openvpn/win/scoped_handle.hpp>
|
|
#include <openvpn/win/unicode.hpp>
|
|
#include <openvpn/win/cmd.hpp>
|
|
#include <openvpn/win/winerr.hpp>
|
|
|
|
namespace openvpn {
|
|
namespace TunWin {
|
|
namespace Util {
|
|
OPENVPN_EXCEPTION(tun_win_util);
|
|
|
|
namespace {
|
|
// from tap-windows.h
|
|
const char ADAPTER[] = ADAPTER_KEY; // CONST GLOBAL
|
|
const char NETWORK_CONNECTIONS[] = NETWORK_CONNECTIONS_KEY; // CONST GLOBAL
|
|
|
|
// generally defined on cl command line
|
|
const char COMPONENT_ID[] = OPENVPN_STRINGIZE(TAP_WIN_COMPONENT_ID); // CONST GLOBAL
|
|
const char WINTUN_COMPONENT_ID[] = "wintun"; // CONST GLOBAL
|
|
}
|
|
|
|
using TapGuidLuid = std::pair<std::string, DWORD>;
|
|
|
|
// Return a list of TAP device GUIDs installed on the system,
|
|
// filtered by TAP_WIN_COMPONENT_ID.
|
|
inline std::vector<TapGuidLuid> tap_guids(bool wintun)
|
|
{
|
|
LONG status;
|
|
DWORD len;
|
|
DWORD data_type;
|
|
|
|
std::vector<TapGuidLuid> ret;
|
|
|
|
Win::RegKey adapter_key;
|
|
status = ::RegOpenKeyExA(HKEY_LOCAL_MACHINE,
|
|
ADAPTER,
|
|
0,
|
|
KEY_READ,
|
|
adapter_key.ref());
|
|
if (status != ERROR_SUCCESS)
|
|
{
|
|
const Win::Error err(status);
|
|
OPENVPN_THROW(tun_win_util, "tap_guids: error opening adapter registry key: " << ADAPTER << " : " << err.message());
|
|
}
|
|
|
|
for (int i = 0;; ++i)
|
|
{
|
|
char strbuf[256];
|
|
Win::RegKey unit_key;
|
|
|
|
len = sizeof(strbuf);
|
|
status = ::RegEnumKeyExA(adapter_key(),
|
|
i,
|
|
strbuf,
|
|
&len,
|
|
nullptr,
|
|
nullptr,
|
|
nullptr,
|
|
nullptr);
|
|
if (status == ERROR_NO_MORE_ITEMS)
|
|
break;
|
|
else if (status != ERROR_SUCCESS)
|
|
OPENVPN_THROW(tun_win_util, "tap_guids: error enumerating registry subkeys of key: " << ADAPTER);
|
|
strbuf[len] = '\0';
|
|
|
|
const std::string unit_string = std::string(ADAPTER)
|
|
+ std::string("\\")
|
|
+ std::string(strbuf);
|
|
|
|
status = ::RegOpenKeyExA(HKEY_LOCAL_MACHINE,
|
|
unit_string.c_str(),
|
|
0,
|
|
KEY_READ,
|
|
unit_key.ref());
|
|
|
|
if (status != ERROR_SUCCESS)
|
|
continue;
|
|
|
|
len = sizeof(strbuf);
|
|
status = ::RegQueryValueExA(unit_key(),
|
|
"ComponentId",
|
|
nullptr,
|
|
&data_type,
|
|
(LPBYTE)strbuf,
|
|
&len);
|
|
|
|
if (status != ERROR_SUCCESS || data_type != REG_SZ)
|
|
continue;
|
|
strbuf[len] = '\0';
|
|
if (std::strcmp(strbuf, wintun ? WINTUN_COMPONENT_ID : COMPONENT_ID))
|
|
continue;
|
|
|
|
TapGuidLuid tgl;
|
|
|
|
len = sizeof(strbuf);
|
|
status = ::RegQueryValueExA(unit_key(),
|
|
"NetCfgInstanceId",
|
|
nullptr,
|
|
&data_type,
|
|
(LPBYTE)strbuf,
|
|
&len);
|
|
|
|
if (status == ERROR_SUCCESS && data_type == REG_SZ)
|
|
{
|
|
strbuf[len] = '\0';
|
|
tgl.first = std::string(strbuf);
|
|
}
|
|
|
|
DWORD luid;
|
|
len = sizeof(luid);
|
|
status = ::RegQueryValueExA(unit_key(),
|
|
"NetLuidIndex",
|
|
nullptr,
|
|
&data_type,
|
|
(LPBYTE)&luid,
|
|
&len);
|
|
|
|
if (status == ERROR_SUCCESS && data_type == REG_DWORD)
|
|
{
|
|
tgl.second = luid;
|
|
}
|
|
|
|
ret.push_back(tgl);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
struct TapNameGuidPair
|
|
{
|
|
TapNameGuidPair() : index(DWORD(-1)) {}
|
|
|
|
bool index_defined() const { return index != DWORD(-1); }
|
|
|
|
std::string index_or_name() const
|
|
{
|
|
if (index_defined())
|
|
return to_string(index);
|
|
else if (!name.empty())
|
|
return '"' + name + '"';
|
|
else
|
|
OPENVPN_THROW(tun_win_util, "TapNameGuidPair: TAP interface " << guid << " has no name or interface index");
|
|
}
|
|
|
|
std::string name;
|
|
std::string guid;
|
|
DWORD net_luid_index;
|
|
DWORD index;
|
|
};
|
|
|
|
struct TapNameGuidPairList : public std::vector<TapNameGuidPair>
|
|
{
|
|
TapNameGuidPairList(bool wintun)
|
|
{
|
|
// first get the TAP guids
|
|
{
|
|
std::vector<TapGuidLuid> guids = tap_guids(wintun);
|
|
for (auto i = guids.begin(); i != guids.end(); i++)
|
|
{
|
|
TapNameGuidPair pair;
|
|
pair.guid = i->first;
|
|
pair.net_luid_index = i->second;
|
|
|
|
// lookup adapter index
|
|
{
|
|
ULONG aindex;
|
|
const size_t len = 128;
|
|
wchar_t wbuf[len];
|
|
_snwprintf(wbuf, len, L"\\DEVICE\\TCPIP_%S", pair.guid.c_str());
|
|
wbuf[len-1] = 0;
|
|
if (::GetAdapterIndex(wbuf, &aindex) == NO_ERROR)
|
|
pair.index = aindex;
|
|
}
|
|
|
|
push_back(pair);
|
|
}
|
|
}
|
|
|
|
// next, match up control panel interface names with GUIDs
|
|
{
|
|
LONG status;
|
|
DWORD len;
|
|
DWORD data_type;
|
|
|
|
Win::RegKey network_connections_key;
|
|
status = ::RegOpenKeyExA(HKEY_LOCAL_MACHINE,
|
|
NETWORK_CONNECTIONS,
|
|
0,
|
|
KEY_READ,
|
|
network_connections_key.ref());
|
|
if (status != ERROR_SUCCESS)
|
|
{
|
|
const Win::Error err(status);
|
|
OPENVPN_THROW(tun_win_util, "TapNameGuidPairList: error opening network connections registry key: " << NETWORK_CONNECTIONS << " : " << err.message());
|
|
}
|
|
|
|
for (int i = 0;; ++i)
|
|
{
|
|
char strbuf[256];
|
|
Win::RegKey connection_key;
|
|
|
|
len = sizeof(strbuf);
|
|
status = ::RegEnumKeyExA(network_connections_key(),
|
|
i,
|
|
strbuf,
|
|
&len,
|
|
nullptr,
|
|
nullptr,
|
|
nullptr,
|
|
nullptr);
|
|
if (status == ERROR_NO_MORE_ITEMS)
|
|
break;
|
|
else if (status != ERROR_SUCCESS)
|
|
OPENVPN_THROW(tun_win_util, "TapNameGuidPairList: error enumerating registry subkeys of key: " << NETWORK_CONNECTIONS);
|
|
strbuf[len] = '\0';
|
|
|
|
const std::string guid = std::string(strbuf);
|
|
const std::string connection_string = std::string(NETWORK_CONNECTIONS) + std::string("\\") + guid + std::string("\\Connection");
|
|
|
|
status = ::RegOpenKeyExA(HKEY_LOCAL_MACHINE,
|
|
connection_string.c_str(),
|
|
0,
|
|
KEY_READ,
|
|
connection_key.ref());
|
|
if (status != ERROR_SUCCESS)
|
|
continue;
|
|
|
|
len = sizeof(strbuf);
|
|
status = ::RegQueryValueExA(connection_key(),
|
|
"Name",
|
|
nullptr,
|
|
&data_type,
|
|
(LPBYTE)strbuf,
|
|
&len);
|
|
if (status != ERROR_SUCCESS || data_type != REG_SZ)
|
|
continue;
|
|
strbuf[len] = '\0';
|
|
const std::string name = std::string(strbuf);
|
|
|
|
// iterate through self and try to patch the name
|
|
{
|
|
for (iterator j = begin(); j != end(); j++)
|
|
{
|
|
TapNameGuidPair& pair = *j;
|
|
if (pair.guid == guid)
|
|
pair.name = name;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
std::string to_string() const
|
|
{
|
|
std::ostringstream os;
|
|
for (const_iterator i = begin(); i != end(); i++)
|
|
{
|
|
const TapNameGuidPair& pair = *i;
|
|
os << "guid='" << pair.guid << '\'';
|
|
if (pair.index_defined())
|
|
os << " index=" << pair.index;
|
|
if (!pair.name.empty())
|
|
os << " name='" << pair.name << '\'';
|
|
os << std::endl;
|
|
}
|
|
return os.str();
|
|
}
|
|
|
|
std::string name_from_guid(const std::string& guid) const
|
|
{
|
|
for (const_iterator i = begin(); i != end(); i++)
|
|
{
|
|
const TapNameGuidPair& pair = *i;
|
|
if (pair.guid == guid)
|
|
return pair.name;
|
|
}
|
|
}
|
|
|
|
std::string guid_from_name(const std::string& name) const
|
|
{
|
|
for (const_iterator i = begin(); i != end(); i++)
|
|
{
|
|
const TapNameGuidPair& pair = *i;
|
|
if (pair.name == name)
|
|
return pair.guid;
|
|
}
|
|
}
|
|
};
|
|
|
|
inline HANDLE impersonate_as_system()
|
|
{
|
|
HANDLE thread_token, process_snapshot, winlogon_process, winlogon_token, duplicated_token, file_handle;
|
|
PROCESSENTRY32 entry = {};
|
|
entry.dwSize = sizeof(PROCESSENTRY32);
|
|
BOOL ret;
|
|
DWORD pid = 0;
|
|
TOKEN_PRIVILEGES privileges = {};
|
|
privileges.PrivilegeCount = 1;
|
|
privileges.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
|
|
|
|
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &privileges.Privileges[0].Luid))
|
|
return INVALID_HANDLE_VALUE;
|
|
if (!ImpersonateSelf(SecurityImpersonation))
|
|
return INVALID_HANDLE_VALUE;
|
|
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &thread_token))
|
|
{
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
if (!AdjustTokenPrivileges(thread_token, FALSE, &privileges, sizeof(privileges), NULL, NULL))
|
|
{
|
|
CloseHandle(thread_token);
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
CloseHandle(thread_token);
|
|
|
|
process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
if (process_snapshot == INVALID_HANDLE_VALUE)
|
|
{
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
for (ret = Process32First(process_snapshot, &entry); ret; ret = Process32Next(process_snapshot, &entry))
|
|
{
|
|
if (!_stricmp(entry.szExeFile, "winlogon.exe"))
|
|
{
|
|
pid = entry.th32ProcessID;
|
|
break;
|
|
}
|
|
}
|
|
CloseHandle(process_snapshot);
|
|
if (!pid)
|
|
{
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
|
|
winlogon_process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
|
|
if (!winlogon_process)
|
|
{
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
|
|
if (!OpenProcessToken(winlogon_process, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &winlogon_token))
|
|
{
|
|
CloseHandle(winlogon_process);
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
CloseHandle(winlogon_process);
|
|
|
|
if (!DuplicateToken(winlogon_token, SecurityImpersonation, &duplicated_token))
|
|
{
|
|
CloseHandle(winlogon_token);
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
CloseHandle(winlogon_token);
|
|
|
|
if (!SetThreadToken(NULL, duplicated_token))
|
|
{
|
|
CloseHandle(duplicated_token);
|
|
RevertToSelf();
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
CloseHandle(duplicated_token);
|
|
}
|
|
|
|
// given a TAP GUID, form the pathname of the TAP device node
|
|
inline std::string tap_path(const TapNameGuidPair& tap, bool wintun)
|
|
{
|
|
if (wintun)
|
|
return std::string(USERMODEDEVICEDIR) + "WINTUN" + std::to_string(tap.net_luid_index);
|
|
else
|
|
return std::string(USERMODEDEVICEDIR) + tap.guid + std::string(TAP_WIN_SUFFIX);
|
|
}
|
|
|
|
// open an available TAP adapter
|
|
inline HANDLE tap_open(const TapNameGuidPairList& guids,
|
|
std::string& path_opened,
|
|
TapNameGuidPair& used,
|
|
bool wintun)
|
|
{
|
|
Win::ScopedHANDLE hand;
|
|
|
|
// iterate over list of TAP adapters on system
|
|
for (TapNameGuidPairList::const_iterator i = guids.begin(); i != guids.end(); i++)
|
|
{
|
|
const TapNameGuidPair& tap = *i;
|
|
const std::string path = tap_path(tap, wintun);
|
|
|
|
// wintun device can be only opened under LocalSystem account
|
|
if (wintun)
|
|
impersonate_as_system();
|
|
|
|
hand.reset(::CreateFileA(path.c_str(),
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
0, /* was: FILE_SHARE_READ */
|
|
0,
|
|
OPEN_EXISTING,
|
|
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
|
|
0));
|
|
if (wintun)
|
|
RevertToSelf();
|
|
|
|
if (hand.defined())
|
|
{
|
|
used = tap;
|
|
path_opened = path;
|
|
break;
|
|
}
|
|
}
|
|
return hand.release();
|
|
}
|
|
|
|
// set TAP adapter to topology subnet
|
|
inline void tap_configure_topology_subnet(HANDLE th, const IP::Addr& local, const unsigned int prefix_len)
|
|
{
|
|
const IPv4::Addr netmask = IPv4::Addr::netmask_from_prefix_len(prefix_len);
|
|
const IPv4::Addr network = local.to_ipv4() & netmask;
|
|
|
|
std::uint32_t ep[3];
|
|
ep[0] = htonl(local.to_ipv4().to_uint32());
|
|
ep[1] = htonl(network.to_uint32());
|
|
ep[2] = htonl(netmask.to_uint32());
|
|
|
|
DWORD len;
|
|
if (!::DeviceIoControl(th, TAP_WIN_IOCTL_CONFIG_TUN,
|
|
ep, sizeof (ep),
|
|
ep, sizeof (ep), &len, nullptr))
|
|
throw tun_win_util("DeviceIoControl TAP_WIN_IOCTL_CONFIG_TUN failed");
|
|
}
|
|
|
|
// set TAP adapter to topology net30
|
|
inline void tap_configure_topology_net30(HANDLE th, const IP::Addr& local_addr, const unsigned int prefix_len)
|
|
{
|
|
const IPv4::Addr local = local_addr.to_ipv4();
|
|
const IPv4::Addr netmask = IPv4::Addr::netmask_from_prefix_len(prefix_len);
|
|
const IPv4::Addr network = local & netmask;
|
|
const IPv4::Addr remote = network + 1;
|
|
|
|
std::uint32_t ep[2];
|
|
ep[0] = htonl(local.to_uint32());
|
|
ep[1] = htonl(remote.to_uint32());
|
|
|
|
DWORD len;
|
|
if (!::DeviceIoControl(th, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT,
|
|
ep, sizeof (ep),
|
|
ep, sizeof (ep), &len, nullptr))
|
|
throw tun_win_util("DeviceIoControl TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT failed");
|
|
}
|
|
|
|
// set driver media status to 'connected'
|
|
inline void tap_set_media_status(HANDLE th, bool media_status)
|
|
{
|
|
DWORD len;
|
|
ULONG status = media_status ? TRUE : FALSE;
|
|
if (!::DeviceIoControl(th, TAP_WIN_IOCTL_SET_MEDIA_STATUS,
|
|
&status, sizeof (status),
|
|
&status, sizeof (status), &len, nullptr))
|
|
throw tun_win_util("DeviceIoControl TAP_WIN_IOCTL_SET_MEDIA_STATUS failed");
|
|
}
|
|
|
|
// get debug logging from TAP driver (requires that
|
|
// TAP driver was built with logging enabled)
|
|
inline void tap_process_logging(HANDLE th)
|
|
{
|
|
const size_t size = 1024;
|
|
std::unique_ptr<char[]> line(new char[size]);
|
|
DWORD len;
|
|
|
|
while (::DeviceIoControl(th, TAP_WIN_IOCTL_GET_LOG_LINE,
|
|
line.get(), size,
|
|
line.get(), size,
|
|
&len, nullptr))
|
|
{
|
|
OPENVPN_LOG("TAP-Windows: " << line.get());
|
|
}
|
|
}
|
|
|
|
struct InterfaceInfoList
|
|
{
|
|
public:
|
|
InterfaceInfoList()
|
|
{
|
|
DWORD size = 0;
|
|
if (::GetInterfaceInfo(nullptr, &size) != ERROR_INSUFFICIENT_BUFFER)
|
|
OPENVPN_THROW(tun_win_util, "InterfaceInfoList: GetInterfaceInfo #1");
|
|
list.reset((IP_INTERFACE_INFO*)new unsigned char[size]);
|
|
if (::GetInterfaceInfo(list.get(), &size) != NO_ERROR)
|
|
OPENVPN_THROW(tun_win_util, "InterfaceInfoList: GetInterfaceInfo #2");
|
|
}
|
|
|
|
IP_ADAPTER_INDEX_MAP* iface(const DWORD index) const
|
|
{
|
|
if (list)
|
|
{
|
|
for (unsigned int i = 0; i < list->NumAdapters; ++i)
|
|
{
|
|
IP_ADAPTER_INDEX_MAP* inter = &list->Adapter[i];
|
|
if (index == inter->Index)
|
|
return inter;
|
|
}
|
|
}
|
|
return nullptr;
|
|
}
|
|
|
|
std::unique_ptr<IP_INTERFACE_INFO> list;
|
|
};
|
|
|
|
inline void dhcp_release(const InterfaceInfoList& ii,
|
|
const DWORD adapter_index,
|
|
std::ostream& os)
|
|
{
|
|
IP_ADAPTER_INDEX_MAP* iface = ii.iface(adapter_index);
|
|
if (iface)
|
|
{
|
|
const DWORD status = ::IpReleaseAddress(iface);
|
|
if (status == NO_ERROR)
|
|
os << "TAP: DHCP release succeeded" << std::endl;
|
|
else
|
|
os << "TAP: DHCP release failed" << std::endl;
|
|
}
|
|
}
|
|
|
|
inline void dhcp_renew(const InterfaceInfoList& ii,
|
|
const DWORD adapter_index,
|
|
std::ostream& os)
|
|
{
|
|
IP_ADAPTER_INDEX_MAP* iface = ii.iface(adapter_index);
|
|
if (iface)
|
|
{
|
|
const DWORD status = ::IpRenewAddress(iface);
|
|
if (status == NO_ERROR)
|
|
os << "TAP: DHCP renew succeeded" << std::endl;
|
|
else
|
|
os << "TAP: DHCP renew failed" << std::endl;
|
|
}
|
|
}
|
|
|
|
inline void flush_arp(const DWORD adapter_index,
|
|
std::ostream& os)
|
|
{
|
|
const DWORD status = ::FlushIpNetTable(adapter_index);
|
|
if (status == NO_ERROR)
|
|
os << "TAP: ARP flush succeeded" << std::endl;
|
|
else
|
|
os << "TAP: ARP flush failed" << std::endl;
|
|
}
|
|
|
|
struct IPNetmask4
|
|
{
|
|
IPNetmask4() {}
|
|
|
|
IPNetmask4(const TunBuilderCapture& pull, const char *title)
|
|
{
|
|
const TunBuilderCapture::RouteAddress* local4 = pull.vpn_ipv4();
|
|
if (local4)
|
|
{
|
|
ip = IPv4::Addr::from_string(local4->address, title);
|
|
netmask = IPv4::Addr::netmask_from_prefix_len(local4->prefix_length);
|
|
}
|
|
}
|
|
|
|
IPNetmask4(const IP_ADDR_STRING *ias)
|
|
{
|
|
if (ias)
|
|
{
|
|
try {
|
|
if (ias->IpAddress.String)
|
|
ip = IPv4::Addr::from_string(ias->IpAddress.String);
|
|
}
|
|
catch (const std::exception&)
|
|
{
|
|
}
|
|
try {
|
|
if (ias->IpMask.String)
|
|
netmask = IPv4::Addr::from_string(ias->IpMask.String);
|
|
}
|
|
catch (const std::exception&)
|
|
{
|
|
}
|
|
}
|
|
}
|
|
|
|
bool operator==(const IPNetmask4& rhs) const
|
|
{
|
|
return ip == rhs.ip && netmask == rhs.netmask;
|
|
}
|
|
|
|
bool operator!=(const IPNetmask4& rhs) const
|
|
{
|
|
return !operator==(rhs);
|
|
}
|
|
|
|
IPv4::Addr ip = IPv4::Addr::from_zero();
|
|
IPv4::Addr netmask = IPv4::Addr::from_zero();
|
|
};
|
|
|
|
struct IPAdaptersInfo
|
|
{
|
|
IPAdaptersInfo()
|
|
{
|
|
ULONG size = 0;
|
|
if (::GetAdaptersInfo(nullptr, &size) != ERROR_BUFFER_OVERFLOW)
|
|
OPENVPN_THROW(tun_win_util, "IPAdaptersInfo: GetAdaptersInfo #1");
|
|
list.reset((IP_ADAPTER_INFO*)new unsigned char[size]);
|
|
if (::GetAdaptersInfo(list.get(), &size) != NO_ERROR)
|
|
OPENVPN_THROW(tun_win_util, "IPAdaptersInfo: GetAdaptersInfo #2");
|
|
}
|
|
|
|
const IP_ADAPTER_INFO* adapter(const DWORD index) const
|
|
{
|
|
if (list)
|
|
{
|
|
for (const IP_ADAPTER_INFO* a = list.get(); a != nullptr; a = a->Next)
|
|
{
|
|
if (index == a->Index)
|
|
return a;
|
|
}
|
|
}
|
|
return nullptr;
|
|
}
|
|
|
|
bool is_up(const DWORD index, const IPNetmask4& vpn_addr) const
|
|
{
|
|
const IP_ADAPTER_INFO* ai = adapter(index);
|
|
if (ai)
|
|
{
|
|
for (const IP_ADDR_STRING *iplist = &ai->IpAddressList; iplist != nullptr; iplist = iplist->Next)
|
|
{
|
|
if (vpn_addr == IPNetmask4(iplist))
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
bool is_dhcp_enabled(const DWORD index) const
|
|
{
|
|
const IP_ADAPTER_INFO* ai = adapter(index);
|
|
return ai && ai->DhcpEnabled;
|
|
}
|
|
|
|
std::unique_ptr<IP_ADAPTER_INFO> list;
|
|
};
|
|
|
|
struct IPPerAdapterInfo
|
|
{
|
|
IPPerAdapterInfo(const DWORD index)
|
|
{
|
|
ULONG size = 0;
|
|
if (::GetPerAdapterInfo(index, nullptr, &size) != ERROR_BUFFER_OVERFLOW)
|
|
return;
|
|
adapt.reset((IP_PER_ADAPTER_INFO*)new unsigned char[size]);
|
|
if (::GetPerAdapterInfo(index, adapt.get(), &size) != ERROR_SUCCESS)
|
|
adapt.reset();
|
|
}
|
|
|
|
std::unique_ptr<IP_PER_ADAPTER_INFO> adapt;
|
|
};
|
|
|
|
// Use the TAP DHCP masquerade capability to set TAP adapter properties.
|
|
// Generally only used on pre-Vista.
|
|
class TAPDHCPMasquerade
|
|
{
|
|
public:
|
|
OPENVPN_EXCEPTION(dhcp_masq);
|
|
|
|
// VPN IP/netmask
|
|
IPNetmask4 vpn;
|
|
|
|
// IP address of fake DHCP server in TAP adapter
|
|
IPv4::Addr dhcp_serv_addr = IPv4::Addr::from_zero();
|
|
|
|
// DHCP lease for one year
|
|
unsigned int lease_time = 31536000;
|
|
|
|
// DHCP options
|
|
std::string domain; // DOMAIN (15)
|
|
std::string netbios_scope; // NBS (47)
|
|
int netbios_node_type = 0; // NBT 1,2,4,8 (46)
|
|
bool disable_nbt = false; // DISABLE_NBT (43, Vendor option 001)
|
|
std::vector<IPv4::Addr> dns; // DNS (6)
|
|
std::vector<IPv4::Addr> wins; // WINS (44)
|
|
std::vector<IPv4::Addr> ntp; // NTP (42)
|
|
std::vector<IPv4::Addr> nbdd; // NBDD (45)
|
|
|
|
void init_from_capture(const TunBuilderCapture& pull)
|
|
{
|
|
// VPN IP/netmask
|
|
vpn = IPNetmask4(pull, "VPN IP");
|
|
|
|
// DHCP server address
|
|
{
|
|
const IPv4::Addr network_addr = vpn.ip & vpn.netmask;
|
|
const std::uint32_t extent = vpn.netmask.extent_from_netmask_uint32();
|
|
if (extent >= 16)
|
|
dhcp_serv_addr = network_addr + (extent - 2);
|
|
else
|
|
dhcp_serv_addr = network_addr;
|
|
}
|
|
|
|
// DNS
|
|
for (auto &ds : pull.dns_servers)
|
|
{
|
|
if (!ds.ipv6)
|
|
dns.push_back(IPv4::Addr::from_string(ds.address, "DNS Server"));
|
|
}
|
|
|
|
// WINS
|
|
for (auto &ws : pull.wins_servers)
|
|
wins.push_back(IPv4::Addr::from_string(ws.address, "WINS Server"));
|
|
|
|
// DOMAIN
|
|
if (!pull.search_domains.empty())
|
|
domain = pull.search_domains[0].domain;
|
|
}
|
|
|
|
void ioctl(HANDLE th) const
|
|
{
|
|
// TAP_WIN_IOCTL_CONFIG_DHCP_MASQ
|
|
{
|
|
std::uint32_t ep[4];
|
|
ep[0] = vpn.ip.to_uint32_net();
|
|
ep[1] = vpn.netmask.to_uint32_net();
|
|
ep[2] = dhcp_serv_addr.to_uint32_net();
|
|
ep[3] = lease_time;
|
|
|
|
DWORD len;
|
|
if (!::DeviceIoControl(th, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ,
|
|
ep, sizeof (ep),
|
|
ep, sizeof (ep), &len, nullptr))
|
|
throw dhcp_masq("DeviceIoControl TAP_WIN_IOCTL_CONFIG_DHCP_MASQ failed");
|
|
}
|
|
|
|
// TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT
|
|
{
|
|
BufferAllocated buf(256, BufferAllocated::GROW);
|
|
write_options(buf);
|
|
|
|
DWORD len;
|
|
if (!::DeviceIoControl(th, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT,
|
|
buf.data(), buf.size(),
|
|
buf.data(), buf.size(), &len, nullptr))
|
|
throw dhcp_masq("DeviceIoControl TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT failed");
|
|
}
|
|
}
|
|
|
|
private:
|
|
void write_options(Buffer& buf) const
|
|
{
|
|
// DOMAIN
|
|
write_dhcp_str(buf, 15, domain);
|
|
|
|
// NBS
|
|
write_dhcp_str(buf, 47, netbios_scope);
|
|
|
|
// NBT
|
|
if (netbios_node_type)
|
|
write_dhcp_u8(buf, 46, netbios_node_type);
|
|
|
|
// DNS
|
|
write_dhcp_addr_list(buf, 6, dns);
|
|
|
|
// WINS
|
|
write_dhcp_addr_list(buf, 44, wins);
|
|
|
|
// NTP
|
|
write_dhcp_addr_list(buf, 42, ntp);
|
|
|
|
// NBDD
|
|
write_dhcp_addr_list(buf, 45, nbdd);
|
|
|
|
// DISABLE_NBT
|
|
//
|
|
// The MS DHCP server option 'Disable Netbios-over-TCP/IP
|
|
// is implemented as vendor option 001, value 002.
|
|
// A value of 001 means 'leave NBT alone' which is the default.
|
|
if (disable_nbt)
|
|
{
|
|
buf.push_back(43);
|
|
buf.push_back(6); // total length field
|
|
buf.push_back(0x001);
|
|
buf.push_back(4); // length of the vendor-specified field
|
|
{
|
|
const std::uint32_t raw = 0x002;
|
|
buf.write((const unsigned char *)&raw, sizeof(raw));
|
|
}
|
|
}
|
|
}
|
|
|
|
static void write_dhcp_u8(Buffer& buf,
|
|
const unsigned char type,
|
|
const unsigned char data)
|
|
{
|
|
buf.push_back(type);
|
|
buf.push_back(1);
|
|
buf.push_back(data);
|
|
}
|
|
|
|
static void write_dhcp_str(Buffer& buf,
|
|
const unsigned char type,
|
|
const std::string& str)
|
|
{
|
|
const size_t len = str.length();
|
|
if (len)
|
|
{
|
|
if (len > 255)
|
|
OPENVPN_THROW(dhcp_masq, "string '" << str << "' must be > 0 bytes and <= 255 bytes");
|
|
buf.push_back(type);
|
|
buf.push_back((unsigned char)len);
|
|
buf.write((const unsigned char *)str.c_str(), len);
|
|
}
|
|
}
|
|
|
|
static void write_dhcp_addr_list(Buffer& buf,
|
|
const unsigned char type,
|
|
const std::vector<IPv4::Addr>& addr_list)
|
|
{
|
|
if (!addr_list.empty())
|
|
{
|
|
const size_t size = addr_list.size() * sizeof(std::uint32_t);
|
|
if (size < 1 || size > 255)
|
|
OPENVPN_THROW(dhcp_masq, "array size=" << size << " must be > 0 bytes and <= 255 bytes");
|
|
buf.push_back(type);
|
|
buf.push_back((unsigned char)size);
|
|
for (auto &a : addr_list)
|
|
{
|
|
const std::uint32_t rawaddr = a.to_uint32_net();
|
|
buf.write((const unsigned char *)&rawaddr, sizeof(std::uint32_t));
|
|
}
|
|
}
|
|
}
|
|
};
|
|
|
|
class TAPDriverVersion
|
|
{
|
|
public:
|
|
TAPDriverVersion(HANDLE th)
|
|
: defined(false)
|
|
{
|
|
DWORD len;
|
|
info[0] = info[1] = info[2] = 0;
|
|
if (::DeviceIoControl(th, TAP_WIN_IOCTL_GET_VERSION,
|
|
&info, sizeof (info),
|
|
&info, sizeof (info), &len, nullptr))
|
|
defined = true;
|
|
}
|
|
|
|
std::string to_string()
|
|
{
|
|
std::ostringstream os;
|
|
os << "TAP-Windows Driver Version ";
|
|
if (defined)
|
|
{
|
|
os << info[0] << '.' << info[1];
|
|
if (info[2])
|
|
os << " (DEBUG)";
|
|
}
|
|
else
|
|
os << "UNDEFINED";
|
|
return os.str();
|
|
}
|
|
|
|
private:
|
|
bool defined;
|
|
ULONG info[3];
|
|
};
|
|
|
|
// An action to set the DNS "Connection-specific DNS Suffix"
|
|
class ActionSetAdapterDomainSuffix : public Action
|
|
{
|
|
public:
|
|
ActionSetAdapterDomainSuffix(const std::string& search_domain_arg,
|
|
const std::string& tap_guid_arg)
|
|
: search_domain(search_domain_arg),
|
|
tap_guid(tap_guid_arg)
|
|
{
|
|
}
|
|
|
|
virtual void execute(std::ostream& os) override
|
|
{
|
|
os << to_string() << std::endl;
|
|
|
|
LONG status;
|
|
Win::RegKey key;
|
|
const std::string reg_key_name = "SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\" + tap_guid;
|
|
status = ::RegOpenKeyExA(HKEY_LOCAL_MACHINE,
|
|
reg_key_name.c_str(),
|
|
0,
|
|
KEY_READ|KEY_WRITE,
|
|
key.ref());
|
|
if (status != ERROR_SUCCESS)
|
|
{
|
|
const Win::Error err(status);
|
|
OPENVPN_THROW(tun_win_util, "ActionSetAdapterDomainSuffix: error opening registry key: " << reg_key_name << " : " << err.message());
|
|
}
|
|
|
|
Win::UTF16 dom(Win::utf16(search_domain));
|
|
status = ::RegSetValueExW(key(),
|
|
L"Domain",
|
|
0,
|
|
REG_SZ,
|
|
(const BYTE *)dom.get(),
|
|
(Win::utf16_strlen(dom.get())+1)*2);
|
|
if (status != ERROR_SUCCESS)
|
|
OPENVPN_THROW(tun_win_util, "ActionSetAdapterDomainSuffix: error writing Domain registry key: " << reg_key_name);
|
|
}
|
|
|
|
virtual std::string to_string() const override
|
|
{
|
|
return "Set adapter domain suffix: '" + search_domain + "' " + tap_guid;
|
|
}
|
|
|
|
private:
|
|
const std::string search_domain;
|
|
const std::string tap_guid;
|
|
};
|
|
|
|
// get the Windows IPv4 routing table
|
|
inline const MIB_IPFORWARDTABLE* windows_routing_table()
|
|
{
|
|
ULONG size = 0;
|
|
DWORD status;
|
|
std::unique_ptr<MIB_IPFORWARDTABLE> rt;
|
|
|
|
status = ::GetIpForwardTable(nullptr, &size, TRUE);
|
|
if (status == ERROR_INSUFFICIENT_BUFFER)
|
|
{
|
|
rt.reset((MIB_IPFORWARDTABLE*)new unsigned char[size]);
|
|
status = ::GetIpForwardTable(rt.get(), &size, TRUE);
|
|
if (status != NO_ERROR)
|
|
{
|
|
OPENVPN_LOG("windows_routing_table: GetIpForwardTable failed");
|
|
return nullptr;
|
|
}
|
|
}
|
|
return rt.release();
|
|
}
|
|
|
|
#if _WIN32_WINNT >= 0x0600 // Vista and higher
|
|
// Get the Windows IPv4/IPv6 routing table.
|
|
// Note that returned pointer must be freed with FreeMibTable.
|
|
inline const MIB_IPFORWARD_TABLE2* windows_routing_table2(ADDRESS_FAMILY af)
|
|
{
|
|
MIB_IPFORWARD_TABLE2* routes = nullptr;
|
|
int res = ::GetIpForwardTable2(af, &routes);
|
|
if (res == NO_ERROR)
|
|
return routes;
|
|
else
|
|
return nullptr;
|
|
}
|
|
#endif
|
|
|
|
// Get the current default gateway
|
|
class DefaultGateway
|
|
{
|
|
public:
|
|
DefaultGateway()
|
|
: index(DWORD(-1))
|
|
{
|
|
std::unique_ptr<const MIB_IPFORWARDTABLE> rt(windows_routing_table());
|
|
if (rt)
|
|
{
|
|
const MIB_IPFORWARDROW* gw = nullptr;
|
|
for (size_t i = 0; i < rt->dwNumEntries; ++i)
|
|
{
|
|
const MIB_IPFORWARDROW* row = &rt->table[i];
|
|
if (!row->dwForwardDest && !row->dwForwardMask
|
|
&& (!gw || row->dwForwardMetric1 < gw->dwForwardMetric1))
|
|
gw = row;
|
|
}
|
|
if (gw)
|
|
{
|
|
index = gw->dwForwardIfIndex;
|
|
addr = IPv4::Addr::from_uint32(ntohl(gw->dwForwardNextHop)).to_string();
|
|
}
|
|
}
|
|
}
|
|
|
|
bool defined() const
|
|
{
|
|
return index != DWORD(-1) && !addr.empty();
|
|
}
|
|
|
|
DWORD interface_index() const
|
|
{
|
|
return index;
|
|
}
|
|
|
|
const std::string& gateway_address() const
|
|
{
|
|
return addr;
|
|
}
|
|
|
|
private:
|
|
DWORD index;
|
|
std::string addr;
|
|
};
|
|
|
|
// An action to delete all routes on an interface
|
|
class ActionDeleteAllRoutesOnInterface : public Action
|
|
{
|
|
public:
|
|
ActionDeleteAllRoutesOnInterface(const DWORD iface_index_arg)
|
|
: iface_index(iface_index_arg)
|
|
{
|
|
}
|
|
|
|
virtual void execute(std::ostream& os) override
|
|
{
|
|
os << to_string() << std::endl;
|
|
|
|
ActionList::Ptr actions = new ActionList();
|
|
remove_all_ipv4_routes_on_iface(iface_index, *actions);
|
|
#if _WIN32_WINNT >= 0x0600 // Vista and higher
|
|
remove_all_ipv6_routes_on_iface(iface_index, *actions);
|
|
#endif
|
|
actions->execute(os);
|
|
}
|
|
|
|
virtual std::string to_string() const override
|
|
{
|
|
return "ActionDeleteAllRoutesOnInterface iface_index=" + std::to_string(iface_index);
|
|
}
|
|
|
|
private:
|
|
static void remove_all_ipv4_routes_on_iface(DWORD index, ActionList& actions)
|
|
{
|
|
std::unique_ptr<const MIB_IPFORWARDTABLE> rt(windows_routing_table());
|
|
if (rt)
|
|
{
|
|
for (size_t i = 0; i < rt->dwNumEntries; ++i)
|
|
{
|
|
const MIB_IPFORWARDROW* row = &rt->table[i];
|
|
if (row->dwForwardIfIndex == index)
|
|
{
|
|
const IPv4::Addr net = IPv4::Addr::from_uint32(ntohl(row->dwForwardDest));
|
|
const IPv4::Addr mask = IPv4::Addr::from_uint32(ntohl(row->dwForwardMask));
|
|
const std::string net_str = net.to_string();
|
|
const unsigned int pl = mask.prefix_len();
|
|
|
|
// don't remove multicast route or other Windows-assigned routes
|
|
if (net_str == "224.0.0.0" && pl == 4)
|
|
continue;
|
|
if (net_str == "255.255.255.255" && pl == 32)
|
|
continue;
|
|
|
|
actions.add(new WinCmd("netsh interface ip delete route " + net_str + '/' + openvpn::to_string(pl) + ' ' + openvpn::to_string(index) + " store=active"));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
#if _WIN32_WINNT >= 0x0600 // Vista and higher
|
|
static void remove_all_ipv6_routes_on_iface(DWORD index, ActionList& actions)
|
|
{
|
|
unique_ptr_del<const MIB_IPFORWARD_TABLE2> rt2(windows_routing_table2(AF_INET6),
|
|
[](const MIB_IPFORWARD_TABLE2* p) { FreeMibTable((PVOID)p); });
|
|
if (rt2)
|
|
{
|
|
const IPv6::Addr ll_net = IPv6::Addr::from_string("fe80::");
|
|
const IPv6::Addr ll_mask = IPv6::Addr::netmask_from_prefix_len(64);
|
|
for (size_t i = 0; i < rt2->NumEntries; ++i)
|
|
{
|
|
const MIB_IPFORWARD_ROW2* row = &rt2->Table[i];
|
|
if (row->InterfaceIndex == index)
|
|
{
|
|
const unsigned int pl = row->DestinationPrefix.PrefixLength;
|
|
if (row->DestinationPrefix.Prefix.si_family == AF_INET6)
|
|
{
|
|
const IPv6::Addr net = IPv6::Addr::from_byte_string(row->DestinationPrefix.Prefix.Ipv6.sin6_addr.u.Byte);
|
|
const std::string net_str = net.to_string();
|
|
|
|
// don't remove multicast route or other Windows-assigned routes
|
|
if (net_str == "ff00::" && pl == 8)
|
|
continue;
|
|
if ((net & ll_mask) == ll_net && pl >= 64)
|
|
continue;
|
|
actions.add(new WinCmd("netsh interface ipv6 delete route " + net_str + '/' + openvpn::to_string(pl) + ' ' + openvpn::to_string(index) + " store=active"));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
const DWORD iface_index;
|
|
};
|
|
|
|
class ActionEnableDHCP : public WinCmd
|
|
{
|
|
public:
|
|
ActionEnableDHCP(const TapNameGuidPair& tap)
|
|
: WinCmd(cmd(tap))
|
|
{
|
|
}
|
|
|
|
private:
|
|
static std::string cmd(const TapNameGuidPair& tap)
|
|
{
|
|
return "netsh interface ip set address " + tap.index_or_name() + " dhcp";
|
|
}
|
|
};
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
#endif
|