From 29359503838756c0284b321dac24e0feeb84d056 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 20 Nov 2012 10:22:50 +0100 Subject: VPN+tethering is becoming a FAQ --- res/layout/faq.xml | 8 ++++++++ res/values/strings.xml | 4 +++- src/de/blinkt/openvpn/FaqFragment.java | 3 ++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/res/layout/faq.xml b/res/layout/faq.xml index c4fd57f0..8e0f561f 100644 --- a/res/layout/faq.xml +++ b/res/layout/faq.xml @@ -48,6 +48,14 @@ style="@style/faqitem" android:text="@string/faq_tap_mode" /> + + + + diff --git a/res/values/strings.xml b/res/values/strings.xml index a0d1a4f0..7958aca9 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -228,5 +228,7 @@ OpenVPN Log Import OpenVPN configuration Battery consumption - In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunatly using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) + In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunately using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) + The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a> + VPN and Tethering diff --git a/src/de/blinkt/openvpn/FaqFragment.java b/src/de/blinkt/openvpn/FaqFragment.java index 79029757..1b262c7f 100644 --- a/src/de/blinkt/openvpn/FaqFragment.java +++ b/src/de/blinkt/openvpn/FaqFragment.java @@ -24,7 +24,8 @@ public class FaqFragment extends Fragment { insertHtmlEntry(v,R.id.brokenimages,R.string.broken_images_faq); insertHtmlEntry(v,R.id.faq_howto,R.string.faq_howto); - insertHtmlEntry(v, R.id.faq_battery, R.string.baterry_consumption); + insertHtmlEntry(v, R.id.faq_battery, R.string.baterry_consumption); + insertHtmlEntry(v, R.id.vpn_tethering, R.string.faq_tethering); return v; -- cgit v1.2.3 From 6ce08aeed7c84eccc0baf79da1e19ea538119199 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 20 Nov 2012 22:18:08 +0100 Subject: Add script to generate FAQ in the google CODE project. --- fetchtranslations.sh | 5 +- genFAQ.py | 96 +++++++++++++++++++++++++ res/layout/faq.xml | 6 +- res/values-cs/strings.xml | 5 ++ res/values-de/strings.xml | 6 ++ res/values-et/strings.xml | 16 ++--- res/values-fr/strings.xml | 6 ++ res/values-ko/strings.xml | 5 ++ res/values-ru/strings.xml | 53 ++++++++++++-- res/values-zh-rTW/arrays.xml | 27 +++++++ res/values-zh-rTW/strings.xml | 124 ++++++++++++++++++++++++++++++++ src/de/blinkt/openvpn/ConfigParser.java | 2 + src/de/blinkt/openvpn/FaqFragment.java | 6 +- src/de/blinkt/openvpn/VpnProfile.java | 1 + 14 files changed, 336 insertions(+), 22 deletions(-) create mode 100755 genFAQ.py create mode 100755 res/values-zh-rTW/arrays.xml create mode 100755 res/values-zh-rTW/strings.xml diff --git a/fetchtranslations.sh b/fetchtranslations.sh index ff265954..98f63801 100755 --- a/fetchtranslations.sh +++ b/fetchtranslations.sh @@ -19,11 +19,14 @@ done # Chinese language require zh-CN and zh-TW -for lang in "zh-CN" +for lang in zh-CN zh-TW do if [ $lang = "zh-CN" ] ; then rlang="zh-rCN" + elif [ $lang = "zh-TW" ] ; then + rlang="zh-rTW" fi + echo "Fetch archive for $lang" fetch http://crowdin.net/download/project/ics-openvpn/$lang.zip tar -xv -C res/values-$rlang/ --strip-components 3 -f $lang.zip diff --git a/genFAQ.py b/genFAQ.py new file mode 100755 index 00000000..1815f7a2 --- /dev/null +++ b/genFAQ.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python +# Quick and dirty script to generate googlecode wiki pages + +import codecs +import xml.dom.minidom as dom +import os.path + +faqpath = "/Users/arne/oss/ics-openvpn.wiki" + +header=""" + +This page is autogenerated. Do not edit + + += Frequently aksed questions = +""" + +def getString(strid,lang): + if strid in strres[lang]: + return strres[lang][strid] + else: + return strres["default"][strid] + +def genPage(faqdom,lang): + out ="" + + out+="#summary %s\n" % getString("faq_summary",lang) + out+= header + + for xmld in faqdom.firstChild.childNodes: + for xmle in xmld.childNodes: + if xmle.nodeName == "TextView": + style = xmle.getAttribute("style") + + textstyle = None + if style == "@style/faqhead": + textstyle = "== %s ==\n" + elif style == "@style/faqitem": + textstyle = "%s\n" + + atext = xmle.getAttribute("android:text") + aid = xmle.getAttribute("android:id") + if atext: + atextid = atext.replace("@string/","") + else: + atextid = aid.replace("@+id/","") + + out += textstyle % getString(atextid,lang) + + return out + + +strres={} + +def loadstrres(filename,lang): + xmlstr = dom.parse(filename) + strres[lang]={} + for xmld in xmlstr.childNodes: + for xmle in xmld.childNodes: + if xmle.nodeName == "string": + strname= xmle.getAttribute("name") + strdata = xmle.firstChild.data + strres[lang][strname]=strdata + + +def main(): + + loadstrres("res/values/strings.xml","default") + + faqdom = dom.parse("res/layout/faq.xml") + faq= genPage(faqdom,"default") + + open(faqpath + "/FAQ.wiki","w").write(faq) + + for directory in os.listdir("res"): + if directory.startswith("values-"): + lang = directory.split("-",1)[1] + loadstrres("res/values-%s/strings.xml" % lang,lang) + + langdir= "%s/%s" %(faqpath,lang) + if lang=="zh-rCN": + langdir= "%s/%s" %(faqpath,"zh-Hans") + elif lang=="zh-rTW": + langdir= "%s/%s" %(faqpath,"zh-Hant") + + + if not os.path.exists(langdir): + os.mkdir(langdir) + + print lang + faq= genPage(faqdom,lang) + open("%s/FAQ.wiki" % langdir,"w").write(faq.encode("utf-8")) + + +if __name__=="__main__": + main() diff --git a/res/layout/faq.xml b/res/layout/faq.xml index 8e0f561f..959e82a5 100644 --- a/res/layout/faq.xml +++ b/res/layout/faq.xml @@ -37,7 +37,7 @@ android:text="@string/battery_consumption_title" /> + android:id="@+id/faq_tethering" /> Směrování a rozhraní není nastavováno tradičním ifconfig/route způsobem, ale použitím VPNService API. Výsledkem je odlišný způsob směrování než na jiných operační systémech. Nastavení sestává pouze z IP tunelového rozhraní a sítě, která má být směrována skrz tento interface. Speciálně, žádná adresa partnera nebo brány není potřeba. Zvláštní směrování pro připojení k VPN serveru (například při poušití direktivy redirect-gateway) také nejsou potřeba. Aplikace bude tato nastavení při importu ignorovat. Aplikace zajišťuje ve spojení s VPNService API, že připojení k serveru nejde skrz tunel. Protože je podporované jen nastavení sítí, které jsou směrované skrz tunel, nelze podporovat nastavení extra sítí, které skrz runel nejdou (např route x.x.x.x y.y.y.y net_gateway). V okně s logem je možné zobrazit současné nastavení VPNService. Nevracej se ke spojení mimo VPN, zatímco se OpenVPN připojuje. Trvalý tun + Překlad + OpenVPN Log + Importovat OpenVPN nastavení + Spotřeba baterie + V testech se jako hlavní důvod vysoké spotřeby baterie ukázaly keepalive pakety. Většina OpenVPN serverů má v konfiguraci něco jako \'keepalive 10 60\', což znamená posílání paketů každých deset vteřin. <p> Tyto pakety jsou malé a neznamenají velký provoz, ale udržují mobilní síť aktivní a zvyšují spotřebu energie. <p> Toto nastavení nelze změnit na klientské straně. Jen administrátor OpenVPN může toto nastavení změnit. <p> Bohužel používání keepalive hodnot větších než 60 vteřin spolu s UDP může způsobovat problémy s některými NATy, které ukončují po krátkém čase spojení. Použití TCP s dlouhým keepalive funguje, ale má problém \"TCP přes TCP\" (Viz <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Proč je TCP přes TCP špatný nápad</a>) diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml index b03f0238..693ea7ce 100755 --- a/res/values-de/strings.xml +++ b/res/values-de/strings.xml @@ -187,6 +187,7 @@ Fehler beim Zugriff auf den Android Keystore %1$s: %2$s Die Meldung, dass OpenVPN versucht eine VPN-Verbindung aufzubauen und dabei den gesamten Netzwerkverkehr abhören kann, wird vom Android System selbst erzeugt. Diese wird vom System erzwungen, damit keine Anwendung vom Benutzer unbemerkt eine VPN Verbindung aufbauen kann\Die VPN Benachrichtigung (Das Schlüssel Symbol) wird genauso vom Android System angezeigt um eine bestehende VPN anzuzeigen.\nDiese beiden Features wurden in Android für die Sicherheit des Nutzers implementiert und können nicht umgangen werden. (Auf machen Telefon/Tablets wird die Benachrichtigung leider mit einem Ton signalisiert.) Warnung beim Verbinden und Benachrichtigungston + Deutsche Übersetzung von Arne Schwabe <arne@rfc2549.org> IP und DNS Grundeinstellungen Routing @@ -223,4 +224,9 @@ In dieser Anwendung wird die Routing und Netzwerkkonfiguration nicht mit den traditionellen ifconfig/route Kommandos konfiguriert sondern mittels der VPNService API. Diese erwartet eine Tunnel IP Adresse und die Netzwerke, die über den Tunnel geroutet werden sollen. Insbesondere wird keine Gateway oder Peer IP Adresse benötigt. Die Anwendung ignoriert diese daher auch beim Import. Dass die Verbindung zum VPN Server nicht über den Tunnel geroutet wird, wird auch über die VPNService API sichergestellt ohne dass hierfür spezielle Routen nötig sind. Da nur Netzwerke, die über den Tunnel geroutet werden sollen, angeben werden können, ist es nicht möglich andere Routen zu unterstützen (z.B. route x.x.x.x y.y.y.y net_gateway)\" Verhindere Zurückfallen auf nicht VPN Verbindungen während OpenVPN neu verbindet. Persistentes tun Device + Übersetzung + OpenVPN-Log + OpenVPN Konfiguration importieren + Energieverbrauch + In meinen eigenen Tests ist der Hauptgrund für den hohen Stromverbrauch von OpenVPN das Senden und Empfangen der Keepalive-Pakete. Die meisten OpenVPN-Server haben eine Konfigurationsoption wie \' keepalive 10 60\', was bedeutet dass vom Client an den Server und Server an den Client alle zehn Sekunden ein Paket geschickt wird. <p> Diese Pakete sind klein und erzeugen keine große Datenmenge. Sie sorgen allerdings dafür, dass das permanent Daten übertragen werden und somit auch die Mobilfunk bzw. WLAN Einheit aktiv ist und steigern damit den Energieverbrauch. <p> Diese keepalive Einstellung kann nicht auf dem Client geändert werden. Nur der Systemadministrator des VPN Servers kann die Einstellung ändern. <p> Leider hat eine keepalive Einstellung von mehr als 60 Sekunden mit udp Probleme mit einigen NAT-Gateways, die für inaktive Verbindung nur eine sehr kurze Haltzeit haben und danach verwerfen (60s in meinen Tests). Benutzen von TCP mit langen Keep-Alive-Timeout funktioniert, hat aber das TCP über TCP Problem. (Siehe < a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\" > Why TCP Over TCP Is A Bad Ide</a>) diff --git a/res/values-et/strings.xml b/res/values-et/strings.xml index e3f6ef66..0eb5d9a0 100755 --- a/res/values-et/strings.xml +++ b/res/values-et/strings.xml @@ -84,7 +84,7 @@ Suuna kogu võrguliiklus VPN kaudu Kasuta vaikeruutingut Sisesta oma personaalsed ruutingud. Sihtkoht peab olema CIDR formaadis. \"10.0.0.0/8 2002::/16\" suunab võrgud 10.0.0.0/8 ja 2002::/16 VPN kaudu. - Omalt poolt määratud ruutingud + Marsruutide kohandamine Logimise detailsus Suvalise IP autenditud paketid on lubatud Luba \'ujuv\' server @@ -101,11 +101,11 @@ Lokaalne IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d DNS Server: %s DNS domeen: %s - Ruutingud: %s - IPv6 ruutingud: %s + Marsruudid: %s + IPv6 marsruudid: %s Liidese andmed on %1$s ja %2$s, eeldades et teine aadress on eemalasuva serveri aadress. Lokaalse IP jaoks kasutatakse /32 võrgumaski. OpenVPN teatab režiimiks %3$s\". - %1$s ja %2$s on mõttetud CIDR võrgumaskiga IP ruutingud, võrgumaskiks määratakse /32. - %1$s/%2$s ruuting parandatud: %3$s/%2$s + %1$s ja %2$s on mõttetud CIDR võrgumaskiga IP marsruutidest, võrgumaskiks määratakse /32. + %1$s/%2$s marsruut parandatud: %3$s/%2$s Androidi Keychain sertifikaadid on kättesaamatud. (See võib olla põhjustatud püsivara uuendamisest või appide/apiseadistuste taastamisest). Sertifikaatide pääsuõiguste taastamiseks redigeerige palun VPN seadistusi ja valige uuesti üldiste seadistuste alt sertifikaat. %1$s %2$s Saada logifail @@ -158,7 +158,7 @@ imporditud profiil imporditud profiil %d Probleemsed Androidi püsivara versioonid - <p>Ametlikel HTC versioonidel teatakse olevat kummaline marsruutimisprobleem, mille tulemusel ei liigu andmevoog läbi tunneli (Vaata ka <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> veahalduses.)</p><p>Ametlike SONY versioonid Xperia arc S ja Xperia Ray puhul on raporteeritud ka täielikku VPNService API puudumist. Ka teised Sony tarkvaraversioonid võivad olla mõjutatud samast probleemist. (Vaata <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> veahalduses.)</p><p>Kohandatud tarkvaraversioonides võib puududa tun moodul või /dev/tun õigused võivad olla valed. Mõned CM9 versioonid nõuavad üldseadistuste alt õiguste parandamise valiku kasutamist.</p><p>Aga mis kõige olulisem: kui teil juhtub olema vigane tarkvaraversioon, siis teatage sellest oma tarnijale. Mida rohkem kliente tarnijat seadme probleemidest teavitab, seda suurema tõenäosusega tehakse seadme tarkvara ka korda.</p> + <p>Ametlikel HTC versioonidel teatakse olevat kummaline marsruutimisprobleem mille tulemusel ei liigu andmevoog läbi tunneli (Vaata ka <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> veahalduses.)</p><p>Ametlike SONY versioonid Xperia arc S ja Xperia Ray puhul on raporteeritud ka täielikku VPNService API puudumist. Ka teised Sony tarkvaraversioonid võivad olla mõjutatud samast probleemist. (Vaata <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> veahalduses.)</p><p>Kohandatud tarkvaraversioonides võib puududa tun moodul või /dev/tun õigused võivad olla valed. Mõned CM9 versioonid nõuavad üldseadistuste alt õiguste parandamise valiku kasutamist.</p><p>Aga mis kõige olulisem: kui teil juhtub olema vigane tarkvaraversioon, siis teatage sellest oma tarnijale. Mida rohkem kliente tarnijat seadme probleemidest teavitab, seda suurema tõenäosusega tehakse seadme tarkvara ka korda.</p> Kasutajanimi peab olema määratud. PKCS12 faili krüpteerimisvõti Privaatse võtme salasõna @@ -204,7 +204,7 @@ Viga proxy seadistuste vastuvõtul: %s Kasutusel proxy %1$s %2$d Kasuta süsteemset proxy\'t - Kasuta ühendumisel süsteemset HTTP/HTTPS proxy konfiguratsiooni. + Kasuta ühendumisel süsteemse HTTP/HTTPS proxy konfiguratsiooni. Sul on võimalus <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">annetada PayPal vahendusel</a> Kui VPN oli süsteemi uuestilaadimisel/sulgemisel aktiivne siis taastatakse seadme käivitamisel OpenVPN ühendus. Palun lugege enne selle valiku kasutamist läbi ühendumise hoiatuse KKK. Uuestilaadimisel ühendu uuesti @@ -220,7 +220,7 @@ Kasuta olemasoleva (.ovpn või .conf) profiili importimiseks sdcard pealt <img src=\"ic_menu_archive\"/> ikooni. Kindlasti vaata KKK\'d. See sisaldab ka alustamise lühijuhendit. Teisenda remote-tls formaat OpenVPN 2.2 pealt 2.3 peale - marsruutimise/liidese konfigureerimine + Marsruutimine ja võrguliidese konfigureerimine Marsruutimine ja liidese seadistamine ei toimu traditsiooniliste ifconfig/route käskudega vaid VPNService API abil. Tulemuseks on teistest OS\'dest erinev marsruutimise konfiguratsioon. Konfiguratsioonis on kirjed ainult tunneli-liidese IP jaoks ja nende võrkude kirjeldused mis peavad olema marsruuditud läbi selle liidese. Täpsemalt, pole vaja kirjeldada ei teise poole aadressi ega ruuterit. Spetsiaalsed ruutingukirjed VPN serveriga kontakteerumiseks (nagu näiteks redirect-gateway kasutamisel) ei ole samuti vajalikud. Seetõttu ignoreeritakse konfiguratsiooni importimisel neid kirjeid. Programm kindlustab VPNService API abil et VPN serveriga kontakteerumist nõudvaid ühendusi ei ruudita läbi VPN tunneli. Kuna toetatud on ainult tunneldatavate võrkude marsruudid, siis ei saa kirjeldada ka ruutinguid mis ei suuna liiklust läbi tunneli. (nt. route x.x.x.x y.y.y.y net_gateway). \'Näita ühenduse andmeid\' nupp logiaknas näitab kehtivat VPNService võrgukonfiguratsiooni. Ära taasta otseühendust kui OpenVPN on taasühendumas. Katkematu tun diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml index 673ca018..085f7486 100755 --- a/res/values-fr/strings.xml +++ b/res/values-fr/strings.xml @@ -224,5 +224,11 @@ Sur certaines images, cette notification joue un son.\nAndroid à introduit ces "Converti le format \"remote-tls\" du format OpenVPN 2.2 au 2.3" "Redirections / Configuration de l\'interface" "La configuration de l\'interface TUN et des règles de redirection de ports n\'est pas faite par les commandes traditionnelles du genre \"ifconfig\" ou \"route\" mais en utilisant l\'API VPNService. Il en résulte que la configuration de routage est différente des autres systèmes d\'exploitation. La configuration se compose uniquement de l\'adresse IP de l\'interface du tunnel, et les réseaux qui doivent être routés via cette interface. Aucune adresse peer partenaire ou passerelle n\'est nécessaire. Des règles de redirection spéciales pour atteindre le serveur VPN (par exemple ajouté lors de l\'utilisation redirect-gateway) ne sont pas nécessaires non plus. L\'application va donc ignorer ces paramètres lors de l\'importation d\'une configuration. L\'application permet à l\'API VPNService que la connexion au serveur n\'est pas acheminé par le tunnel VPN. Étant donné que seuls les réseaux spécifiant vouloir être routés via le tunnel sont pris en charge, les règles de redirection supplémentaires ne pointant pas vers le tunnel ne sont aussi pas prises en charge. (ex.: x.x.x.x y.y.y.y net_gateway). Le bouton d\'information dans le log affiche la configuration actuelle de la configuration du réseau VPNService." + Ne pas couper la connexion VPN lors de la reconnexion d\'OpenVPN. Persistance de l\'interface TUN + "Traduction" + Log OpenVPN + "Importer une configuration OpenVPN" + "Consommation de la batterie" + "Lors de mes tests d\'OpenVPN, la source de principale de consommation de la batterie est l\'émission des paquets de servant à maintenir la connexion active (keepalive). La plupart des serveurs OpenVPN utilisent la directive \'keepalive 10 60\' ce qui signifie que des packets de keepalive sont envoyés toutes les 10 secondes du client au serveur et vice-versa, et que la connexion sera redemmarée après 60s en cas d\'inactivité. <>Bien que le trafic généré soit faible, ces paquets maintiennent le module radio actif et augmentent la consommation d\'énergie. <p> Malheureusement, la configuration du keepalive ne peut pas être changé sur le client, seul l\'administrateur du réseau OpenVPN peut le faire. En effet, utiliser une période de keepalive supérieure à 60 secondes pose problème pour les réseaux UDP et les passerelles NAT qui ferment alors la connexion (mes tests ont mis en évidence un timeout de 60s). L\'usage de TCP et d\'une plus longue periode de keepalive est possible mais présente les inconvénient lié aux connexion TCP encapsulées (cf., site en anglais: <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>)" diff --git a/res/values-ko/strings.xml b/res/values-ko/strings.xml index a1099152..957df8e2 100755 --- a/res/values-ko/strings.xml +++ b/res/values-ko/strings.xml @@ -224,4 +224,9 @@ 라우팅과 인터페이스 설정은 일반적인 ifconfig/route 명령어를 사용하지 않고 VPNService API를 사용합니다. 그 결과 타 OS들과 비교해 다른 라우팅 설정이 요구됩니다. 설정은 터널 인터페이스의 IP와 이 인터페이스로 라우팅이 되야되는 네트워크만으로 이루어 저야 합니다. 특히 피어 파트너 주소 또는 게이트웨이 주소는 요구되지 않습니다. VPN 서버에 도달하기 위한 특별한 라우트 (예를 들어 redirect-gateway를 사용할때 추가하는 경우) 역시 필요하지 않습니다. 따라서 응용프로그램 설정을 가져올 때 이러한 설정을 무시 합니다. 앱은 VPNService API를 사용하여 서버와의 연결이 VPN 터널을 통해 라우팅 되지 않도록 합니다. 터널을 통해 라우팅이 되야되는 네트워크만 지정할 수 있음으로 터널을 통하지 않는 추가 라우팅 기능도 지원하지 않습니다. (예: route x.x.x.x y.y.y.y net_gateway). 로그 위도우에 정보 보기 버튼은 VPNService 네트워크 설정의 현재 설정을 표시 합니다. OpenVPN을 다시 연결 하는 경우 VPN 연결 없음으로 표기하지 마십시오. tun 유지 + 번역 + OpenVPN 로그 + OpenVPN 설정 가져오기 + 배터리 소모 + 내 개인적인 테스트에서 Openvpn의 높은 배터리 소비에 대한 주요 이유는 keepalive 패킷 때문이었습니다. 대부분의 OpenVPN 서버 설정에는 \'keepalive 10 60\' 와 같은 문구가 있는데 이는 클라이언트에서 서버로 서버에서 클라이언트로 keepalive 패킷을 10 초 마다 보냅니다. <p> 이러한 패킷은 작고 많은 트래픽을 사용 하지 않습니다만 이들은 모바일 라디오 네트워크를 계속 유지하게 만들게되고 따라서 에너지 소비를 증가 합니다. <p>이 keepalive 설정을 클라이언트에서 변경할 수 없습니다. OpenVPN의 시스템 관리자만 설정을 변경할 수 있습니다. <p> 불행히도 udp를 사용할때 keepalive값을 60초 이상으로 하면 짧은 만료기간 (제 테스트의 경우 60초) 후 연결을 종료 하는 NAT 게이트웨이들과 사용시 문제가 있습니다. TCP와 긴 keepalive 만료기간을 함께 사용할 수는 있지만 이런경우에는 TCP TCP 문제에 노출될 수 있습니다. (참조 <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">왜 TCP를 통한 TCP는 안좋은 방법인지</a>) diff --git a/res/values-ru/strings.xml b/res/values-ru/strings.xml index 32902e78..b21714a4 100755 --- a/res/values-ru/strings.xml +++ b/res/values-ru/strings.xml @@ -21,7 +21,7 @@ О программе Описание OpenVPN для Android Список всех туннелей VPN - Конфигурации VPN + Профили VPN Тип Пароль для PKCS12 Выбрать… @@ -50,24 +50,27 @@ Ярлык OpenVPN Подключиться к VPN Не найден профиль, указанный в ярлыке - Случайные префикс узла + Случайный префикс узла Добавляет 6 случайных символов перед именем хоста Включить пользовательские параметры Пользовательские параметры. Используйте с осторожностью! Маршрут отвергнут Android Отключение - очистить лог + очистить журнал Подтверждение отмены Отключение активных VPN/Отмена попыток подключения? Удалить VPN Проверять, использует ли сервер сертификат TLS - Исключить сервер TLS + Исключить TLS на сервере + Проверка корневого сертификата сервера на основе строки-шаблона Проверка имени хоста сертификата + Введите шаблон для проверки. OpenVPN использует его как преффикс. \"Server\" будет соответствовать как \"Server-1\", так и \"Server-2\"\nоставьте пустым для проверки имени сервера на основе данных CA. Удаленный хост (CN) Включить аутентификацию по TLS ключу Файл аутентификации TLS Запрос IP-адреса, маршрутов и параметров от сервера. Игнорировать все параметры сервера. Параметры должны быть указаны ниже. + Запрашивать параметры DNS Переопределить параметры DNS от сервера Использовать ваши DNS @@ -84,18 +87,26 @@ Пользовательские маршруты Уровень детализации лога Разрешить пакеты аутентификации с любого IP-адреса + Разрешать \"плавающие\" сервера Пользовательские параметры Редактирование параметров VPN Удаление профиля VPN %s? + На некторых костомных сборках права на /dev/tun могут быть неверными или tun-модуль может быть не включен. Для прошивки CM9 можете попробовать исправить владельца прямо из настроек программы Открытие интерфейса tun окончилось неудачей. "Ошибка: " Очистить информация Показать подробности о подключении + Последняя используемая конфигурация OpenVPN: + Адрес IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d DNS-сервер: %s DNS-домен: %s Маршруты: %s Маршруты IPv6: %s + Получена информация интерфейса %1$s и %2$s, второй адрес является удалённым адресом канала. Используется сетевая маска /32 для локального IP адреса. Режим, установленный OpenVPN: \"%3$s\". + Невозможно использовать выражения %1$s и %2$s как маршрут по стандарту CIDR. используется /32 как маска подсети. + Маршрут исправлен с %1$s/%2$s на %3$s/%2$s + Не удается получить доступ к хранилищу ключей и сертификатов Android. Это может быть вызвано обновлением прошивки или восстановления старой копии приложения или его настроек. Пожалуйста, отредактируйте профиль VPN и заново укажите ключи и сертификаты в разделе Основные параметры. %1$s %2$s Отправить файл журнала Отправить @@ -104,9 +115,11 @@ Режим TAP Режим TAP невозможен на устройствах без root-а. Поэтому это приложение не поддерживает TAP Снова? Вы издеваетесь? Не поддерживается режим TAP и просьбы к автору об этом не помогут ему реализоваться. + Третий раз? На самом деле можно было бы писать эмулятор tap, основанные на tun, который бы добавлял информацию 2 уровня при отправке и извлекал бы ее при получении. Но этот эмулятор потребует также ARP и, возможно, клиента DHCP. Я не знаю никого, кто мог бы этим заняться. Свяжитесь со мной, если вы хотите заняться этим. Вопросы и ответы Часто задаваемые вопросы и некоторые советы Копирование записей лога + Для копирования одного элемента журнала необходимо нажать и удерживать. Для копирования/передачи всего файла журнала используйте опцию \"Отправить файл журнала\". Используйте hardware кнопку меню, если вы не в графическом интерфейсе. Ярлык для запуска Вы можете поместить ярлык для запуска OpenVPN на рабочий стол. В зависимости от вашего окружения необходимо добавить ярлык или виджет. Ваше изображение не поддерживает API VPNService, извините:( @@ -131,16 +144,20 @@ Импорт файла конфигурации из исходного %1$s Ваша конфигурация имела несколько директив, которые не поняты программой. Эти директивы были добавлены в дополнительные параметры пользовательской конфигурации. Пользовательская конфигурация отображена ниже: Файла конфигурации успешно прочитан. + Не привязываться к локальному адресу и порту + Не использовать привязки Импорт файла конфигурации Соображения безопасности Импорт Ошибка вывода выбранного сертификата + Произошла ошибка при попытке вызова системного диалога выбора сертификатов Android 4.0+ Этого не должно было случиться на стандартной прошивке. Может быть в вашей прошивке испорчено хранилище сертификатов IPv4 IPv6 Ожидание сообщения о состоянии… импортируемый профиль импортируемый профиль %d Нечитаемое изображение + <p>Извествно, что официальные прошивки HTC имеют странные проблемы с марщрутизацией, вызванной тем, что трафик не идёт через тунель (см. также <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> в баг-трекере)</p><p> Также сообщалось, что в официальных прошивках SONY от Xperia arc S и Xperia Ray полностью отсутствует сервис VPNService. Также и другие прошивки от Sony могут иметь такие же проблемы. (см. также <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> в баг-трекере)</p><p>В некоторых встроенных прошивках модуль tun может отсутствовать или иметь не правильные права файла-устройства /dev/tun. Некоторые CM9 прошивки могут требовать исправлений опции прав в главных настройках.</p><p>Важная информация: Если у вас прошивка с указанными проблемами, сообщите об этом производителю устройства. Чем больше пользователей сообщит о проблеме производителю, тем более шансов, что этот производитель соизволит убрать свои косяки.</p> Имя пользователя не должно быть пустым. Файл PKCS12-ключа Пароль закрытого ключа @@ -149,27 +166,36 @@ TLS-аутентификация Сгенерированая конфигурация Общие параметры + Попытаться изменить владельца для /dev/tun. Некоторые прошивки CM9 требуют этого для корректной работы API OpenVPN. Требуется root. + Исправить права для /dev/tun Показать сгенерированный файл конфигурации OpenVPN Правка \"%s\" Создание конфигурации… Включение этого параметра заставит переподключиться, если состояние сети изменения (WIFI с мобильного) Переподключение при изменении сети + Получен сертификат \'%s\' из хранилища ключей Статус сети: %s + Сертификат CA обычно возвращается из хранилища Android Keystore. Укажите отдельный сертификат, если у вас возникли ошибки при проверке сертификата. Выбрать + Не удалось получить CA из хранилища ключей Android. Аутентификация не удалась. Показывает окно журнала при подключении. Окно журнала всегда может быть доступно из панели уведомлений. - Показать окно лога - Не закрывать окно с информацией о подключении после соединения для показа информации о траффике. + Показать окно журнала + Не закрывать окно с информацией о подключении после соединения для вывода информации о трафике. Показать статистику трафика + Работает на %1$s (%2$s) %3$s, Android API %4$d Ошибка подписи с использованием ключа из хранилища Android %1$s: %2$s + Предупреждение VPN соединения сообщает вам, что это приложение может перехватывать весь сетевой трафик, и сообщается системой предупреждений VPNService API.\nИзвещение о VPN соединении (символ \"Ключа\") также формируется системой Android для сигнализации исходящего VPN соединения. В некоторых прошивках это оповещение сопровождается сигналом.\nAndroid использует эти оповещения для вашей собственной безопасности и из нельзя обойти. (К сожалению, на некоторых прошивках также издается оповещение звуком) Сообщение о подключении и звук уведомления + Русский перевод от RusFox <horonitel@gmail.com> IP-адрес и DNS Основные Маршрутизация - Скрывать параметры OpenVPN. Обычно не требуется. + Скрытые параметры OpenVPN. Обычно не требуются. Расширенные ICS Openvpn конфигурация DNS-серверы не используются. Разрешение имен может не работать. Рассмотрите возможность указания DNS-серверов Не удалось добавить DNS-сервер \"%1$s\", отклонен системой: %2$s + <p>Используйте готовую конфигурацию (протестированную на вашем компьютере или полученную от вашего провайдера)</p><p>Если это простой файл без pem/pks12 вы можете отправить его по email на свое устройство. Если же это несколько файлов, вы можете использовать их со своей карты памяти.</p><p>Просто кликните на .conf файл или выберите его с помощью меню в программе для импорта конфигурации</p><p>Если программа выдаст ошибку о нехватке некоторых файлов, просто поместите эти файлы на карту памяти</p><p>Нажмите кнопку сохранения для добавления импортируемой конфигурации в программу</p><p>Запустите ваш VPN-тоннель нажав на его название в списке</p><p>Если при запуске возникли ошибки попробуйте разобраться и устранить их.</p> Быстрый старт Попробуйте загрузить модуль ядра tun.ko прежде чем пытаться подключиться. Требуется root-доступ на устройстве. Загрузить tun-модуль @@ -177,15 +203,28 @@ Ошибка при получении параметров прокси-сервера: %s Используется прокси-сервер %1$s %2$d Использовать прокси-сервер системы + Использовать системную конфигурацию прокси HTTP/HTTPS для соединения. + Вы можете <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">пожертвовать с PayPal</a> + OpenVPN будет переподключаться, если он был активен в момент выключения/перезагрузки. Пожалуйста, прочтите FAQ перед тем, как использовать эту настройку. Переподключение после перезагрузки Игнорировать Перезагрузка Изменения конфигурации применяются после перезапуска VPN. (Пере)запустить VPN теперь? Конфигурация изменена + Не удалось определить последний используемый профиль для редактирования Дублирующиеся уведомления + Если в Android возникает нехватка оперативной памяти (RAM), ненужные службы и приложения останавливаются. Из-за этого прерывается установленное VPN-соединение. Чтобы избежать этого, приложение нужно запускать с повышенным приоритетом. Для запуска с высоким приоритетом приложение должно вывести предупреждение. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. Профили VPN не указаны. + Используйте <img src=\"ic_menu_add\"/> иконку для добавления нового VPN + Используйте <img src=\"ic_menu_archive\"/> кнопку для импорта существующих профилей (.ovpn or .conf) с вашей карты памяти. Не забудьте заглянуть в FAQ. Также имеется краткое руководство. Преобразовать формат удаленного tls OpenVPN 2.2 в формат 2.3 Конфигурация маршрутизации/интерфейса + Маршрутизация и конфигурация интерфейса не сделаны через традиционную ifconfig/route команду, а используют VPNService API. Это сделано по причине того, что конфигурирование маршрутизации отличаются в разных операционных системах. Конфигурация состоит только из IP интерфейса тунеллирования и сетей, которые должны маршрутизироваться через этот интерфейс. Особенно не требуется адрес канала (peer) или адрес шлюза. Специальные марщруты для достижения VPN сервера (для примера, добавленные, когда использован redirect-gateway) больше не требуются. Следовательно, приложение будет игнорировать эти установки при импорте конфигурации. Такое поведение с использованием VPNService API гарантирует, что соединение до сервера не будет маршрутизироваться в VPN тунель. Поскольку поддерживаются только такие сети, которые маршрутизируются через тунель, маршруты, которые не указывают на тунель, не могут поддерживаться (например route x.x.x.x y.y.y.y net_gateway). Кнопка \"Показать информацию\" в окне журнала показывает текущую сетевую конфигурацию VPNService. + Не открывать диалог, когда происходит переподключение VPN. Стойкость tun + Перевод + OpenVPN Журнал + Импорт конфигурации OpenVPN + Потребление батареи diff --git a/res/values-zh-rTW/arrays.xml b/res/values-zh-rTW/arrays.xml new file mode 100755 index 00000000..a2e9f209 --- /dev/null +++ b/res/values-zh-rTW/arrays.xml @@ -0,0 +1,27 @@ + + + + + 證書 + PKCS12檔案 + Android證書 + 用戶名稱/密碼 + 固定金鑰(Static Keys) + 用戶名稱/密碼 + 證書 + 用戶名稱/密碼 + PKCS12檔案 + 用戶名稱/密碼 + Android + + + 0 + 1 + 不指定 + + + 0 - 不作記錄 + 1 - 預設記錄 + 2 - 詳細記錄 + 3 + 4 + 5 - 除錯 + + diff --git a/res/values-zh-rTW/strings.xml b/res/values-zh-rTW/strings.xml new file mode 100755 index 00000000..5635144c --- /dev/null +++ b/res/values-zh-rTW/strings.xml @@ -0,0 +1,124 @@ + + + + OpenVPN for Android + 伺服器地址: + 伺服器端口: + 位置 + 無法讀取目錄! + 選擇 + 取消 + 沒有資料 + LZO壓縮 + 沒有證書 + 客戶端證書 + 客戶端證書密碼 + PKCS12 檔案 + CA證書 + 未有選擇任何 + 關於 + 關於 OpenVPN for Android + VPN設定檔 + 類型 + PKCS12 密碼 + 選擇… + 未有選取任何 + 使用TLS防火牆 + TLS方向 + 以CIDR格式輸入IPv6地址/遮罩(例如 2000:dd::23/64) + 以CIDR格式輸入IPv4地址/遮罩(例如 1.2.3.4/24) + IPv4地址 + IPv6地址 + 用戶名稱 + 密碼 + 設定VPN + 新增設定檔 + 輸入新的設定檔名稱 + 重複的設定檔名稱 + 設定檔名稱 + 沒有選取任何的使用者證書。 + 未有找到錯誤 + 設定中含有錯誤 + 無法解析IPv4地址 + 無法解析自訂路由 + OpenVPN捷徑 + 連接到VPN + 在快捷方式找不到指定的設定檔 + 在主機名稱前加入6個隨機字符 + 啟用自訂選項 + 斷線 + 清除記錄檔 + 移除VPN + 遠端主機名稱(CN) + TLS驗證檔 + DNS + 使用自訂的DNS伺服器 + 搜索網域 + 要使用的DNS伺服器。 + DNS伺服器 + 後備VPN伺服器 + 重定向所有流量到VPN + 使用預設路由 + 自訂路由 + 記錄的詳細級別 + 自訂選項 + 編輯VPN設定 + 要移除VPN設定檔 %s 嗎? + "錯誤: " + 清除 + 資訊 + 本地IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d + DNS伺服器: %s + DNS網域: %s + 路徑: %s + IPv6路由: %s + %1$s %2$s + 傳送記錄檔 + 傳送 + ICS OpenVPN 記錄檔 + Tap模式 + FAQ + 加密 + 輸入加密方法 + 驗證/加密 + 檔案瀏覽器 + 匯入 + 匯入過程中發生錯誤 + 無法從檔案系統中匯入檔案 + 匯入 + 新增設定檔 + 正嘗試讀取檔案: %1$s + 沒有本地綁定 + 保安上的考慮 + 匯入 + IPv4 + IPv6 + 使用者名稱不能為空。 + PKCS12檔加密金鑰 + 私密金鑰密碼 + 密碼 + 檔案圖標 + TLS防火牆 + 常規設置 + 修正 /dev/tun 的擁有者 + 正在編輯\"%s\" + 正在生成設定檔… + 網絡狀態: %s + 選擇 + 顯示記錄視窗 + 顯示流量狀態 + 繁體中文 由 羊羊<sora8964@gmail.com> 翻譯 + IP和DNS + 基本 + 路由 + 進階 + ICS Openvpn 設定 + 快速入門 + 載入Tun模組 + 使用系統代理 + 你可以透過 <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">PayPal</a> 提供捐助 + 重新開機時重新連接 + 忽略 + 重置 + 路由/網絡介面 設定 + diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index 3d20bc31..1098058f 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -229,10 +229,12 @@ public class ConfigParser { "route-gateway", "route-metric", "route-method", + "script-security", "show-net-up", "suppress-timestamps", "tmp-dir", "topology", + "win-sys" }; diff --git a/src/de/blinkt/openvpn/FaqFragment.java b/src/de/blinkt/openvpn/FaqFragment.java index 1b262c7f..a358dc9a 100644 --- a/src/de/blinkt/openvpn/FaqFragment.java +++ b/src/de/blinkt/openvpn/FaqFragment.java @@ -22,10 +22,10 @@ public class FaqFragment extends Fragment { Bundle savedInstanceState) { View v= inflater.inflate(R.layout.faq, container, false); - insertHtmlEntry(v,R.id.brokenimages,R.string.broken_images_faq); + insertHtmlEntry(v,R.id.broken_images_faq,R.string.broken_images_faq); insertHtmlEntry(v,R.id.faq_howto,R.string.faq_howto); - insertHtmlEntry(v, R.id.faq_battery, R.string.baterry_consumption); - insertHtmlEntry(v, R.id.vpn_tethering, R.string.faq_tethering); + insertHtmlEntry(v, R.id.baterry_consumption, R.string.baterry_consumption); + insertHtmlEntry(v, R.id.faq_tethering, R.string.faq_tethering); return v; diff --git a/src/de/blinkt/openvpn/VpnProfile.java b/src/de/blinkt/openvpn/VpnProfile.java index bdfdd70a..a71758d1 100644 --- a/src/de/blinkt/openvpn/VpnProfile.java +++ b/src/de/blinkt/openvpn/VpnProfile.java @@ -101,6 +101,7 @@ public class VpnProfile implements Serializable{ public boolean mUseDefaultRoutev6=true; public String mCustomRoutesv6=""; public String mKeyPassword=""; + static final String MINIVPN = "miniopenvpn"; public boolean mPersistTun = false; -- cgit v1.2.3 From 36c03ed1b2f0e06c1a247a693257f4595c53ae69 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 26 Nov 2012 19:00:33 +0100 Subject: The fcafb74a08aa58152b6bd9eb6e4c7dc6ea783c3b was wrong commit. Version 4.2 behaves like ICS. (from a programming perspective not from what it really does) --- src/de/blinkt/openvpn/OpenVpnManagementThread.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/de/blinkt/openvpn/OpenVpnManagementThread.java b/src/de/blinkt/openvpn/OpenVpnManagementThread.java index 24537732..d15e6a33 100644 --- a/src/de/blinkt/openvpn/OpenVpnManagementThread.java +++ b/src/de/blinkt/openvpn/OpenVpnManagementThread.java @@ -473,11 +473,12 @@ public class OpenVpnManagementThread implements Runnable { PrivateKey privkey = mProfile.getKeystoreKey(); Exception err =null; - // The Jelly Bean *evil* Hack byte[] data = Base64.decode(b64data, Base64.DEFAULT); - if(Build.VERSION.SDK_INT>=16){ + // The Jelly Bean *evil* Hack + // 4.2 implements the RSA/ECB/PKCS1PADDING in the OpenSSLprovider + if(Build.VERSION.SDK_INT==16){ processSignJellyBeans(privkey,data); return; } -- cgit v1.2.3 From b1429b9cb483b3aaa24f428a8c3c3d18ef51e7dd Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 4 Dec 2012 22:15:04 +0100 Subject: Fix crash of settings if verb > 5 from the parsed configuration --HG-- extra : rebase_source : 895a74f802b9e1e38014f6c29ec24a4149d41df3 --- src/de/blinkt/openvpn/Settings_Obscure.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/de/blinkt/openvpn/Settings_Obscure.java b/src/de/blinkt/openvpn/Settings_Obscure.java index f7a63043..c93944fa 100644 --- a/src/de/blinkt/openvpn/Settings_Obscure.java +++ b/src/de/blinkt/openvpn/Settings_Obscure.java @@ -69,7 +69,12 @@ public class Settings_Obscure extends OpenVpnPreferencesFragment implements OnPr mLogverbosity.setDefaultValue(newValue); //This is idiotic. int i =Integer.parseInt((String) newValue); - mLogverbosity.setSummary(mLogverbosity.getEntries()[i]); + + // verb >= 5 is not supported by the chooser + if(i < mLogverbosity.getEntries().length ) + mLogverbosity.setSummary(mLogverbosity.getEntries()[i]); + else + mLogverbosity.setSummary(String.format("debug verbosity: %d",i)); } return true; -- cgit v1.2.3 From 8e61463fa17e61e84cb0d7ccf03bc2dde5eccaca Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 11 Dec 2012 23:22:03 +0100 Subject: update translations --- fetchtranslations.sh | 2 +- res/values-ca/arrays.xml | 27 +++++ res/values-ca/strings.xml | 146 ++++++++++++++++++++++ res/values-it/arrays.xml | 27 +++++ res/values-it/strings.xml | 178 +++++++++++++++++++++++++++ res/values-ja/arrays.xml | 27 +++++ res/values-ja/strings.xml | 274 ++++++++++++++++++++++++++++++++++++++++++ res/values-nl/arrays.xml | 27 +++++ res/values-nl/strings.xml | 121 +++++++++++++++++++ res/values-no/arrays.xml | 27 +++++ res/values-no/strings.xml | 152 +++++++++++++++++++++++ res/values-zh-rCN/strings.xml | 3 + 12 files changed, 1010 insertions(+), 1 deletion(-) create mode 100755 res/values-ca/arrays.xml create mode 100755 res/values-ca/strings.xml create mode 100755 res/values-it/arrays.xml create mode 100755 res/values-it/strings.xml create mode 100755 res/values-ja/arrays.xml create mode 100755 res/values-ja/strings.xml create mode 100755 res/values-nl/arrays.xml create mode 100755 res/values-nl/strings.xml create mode 100755 res/values-no/arrays.xml create mode 100755 res/values-no/strings.xml diff --git a/fetchtranslations.sh b/fetchtranslations.sh index 98f63801..baa393fe 100755 --- a/fetchtranslations.sh +++ b/fetchtranslations.sh @@ -10,7 +10,7 @@ fi echo "Fetch translation archive" fetch -q http://crowdin.net/download/project/ics-openvpn.zip -langtoinclude="de cs ko et fr he ru" +langtoinclude="ca cs de ko et it fr ja he ru no nl" for lang in $langtoinclude do diff --git a/res/values-ca/arrays.xml b/res/values-ca/arrays.xml new file mode 100755 index 00000000..9cb9ead4 --- /dev/null +++ b/res/values-ca/arrays.xml @@ -0,0 +1,27 @@ + + + + + Certificats + Fitxer PKCS12 + Certificat Android + Usuari/Contrasenya + Claus Estàtiques + Usuari/Con + Certificats + Usuari/Con + PKCS12 + Usuari/Con + Android + + + 0 + 1 + Sense especificar + + + 0 - Sense registre + 1 - Registre per defecte + 2 - Registre extens + 3 + 4 + 5 - Registre de depuració + + diff --git a/res/values-ca/strings.xml b/res/values-ca/strings.xml new file mode 100755 index 00000000..f2d18c0f --- /dev/null +++ b/res/values-ca/strings.xml @@ -0,0 +1,146 @@ + + + + OpenVPN per Android + Adreá del servidor: + Port del servidor: + Lloc + No es pot llegir la carpeta! + Selecciona + Cancel·la + Sense informació + Compresió LZO + Sense Certificat + Certificat Client + Clau del certificat client + Fitxer PKCS12 + Certificat CA + Res seleccionat + Codi font i gestor d\'incidències disponible a http://code.google.com/p/ics-openvpn/ + Aquest programa utiltiza els components següents. Mireu el codi font per a més detalls + Quan a + Quan a OpenVPN per Android + Llista de VPNs configurades + Perfils VPN + Tipus + Contrasenya PKCS12 + Selecciona... + Res seleccionat + Utiltiza autenticació TLS + Direcció TLS + Introduïu l\'adreça/mascara de xarxa IPv6 en format CIDR Format (e.g. 2000:dd::23/64) + Introduïu l\'adreça/mascara de xarxa IPv4 en format CIDR (e.g. 1.2.3.4/24) + Adreça IPv4 + Adreça IPv6 + Introduiu opcions personalitzades de OpenVPN. Utilitzeu amb cura. Alguns de les configuracions de OpenVPN pot ser que no estiguin suportadse pel diseny de VPNSettings. Si trobeu en falta alguna acció important contacteu l\'autor. + Usuari + Contrasenya + Per la configuració estàtica les claus d\'autenticació TLS s\'utiltizaran com a claus estàtiques. + Configura la VPN + Afegeix un perfil + Introduïu un nom identificant el perfil + Nom del perfil duplicat + Nom del perfil + No s\'ha seleccionat un certificat d\'usuari. + No s\'ha trobat cap error + S\'ha trobat un error a la configuració + No es pot parsejar l\'adreça IPv4 + No es poden parsejar les rutes personalitzades + Deixeu en blan per consultes sota demanda + Acces directe de OpenVPN + Conecta a la VPN + No s\'ha trobat el perfil especificat a l\'accès directe + Prefix aleatoria del host + La ruta ha estat refusas per Android + Desconecta + Neteja el registre + Cancela la confirmació + Desconcta la conexió VPN/cancela l\'intent de conexió? + Eliminar VPN + DNS + Servidor DNS a utilitzar. + Servidor DNS + Redirecciona tot el trafic a través de la VPN + Utilitza la ruta per defecte + Rutes personalitzadse + Nivell de detall del registre + Opcions personalitzades + Edita la configuració VPN + Elimina el perfil VPN %s? + "Error: " + Neteja + info + Mostra els detalls de conexió + Servidor DNS: %s + Domini DNS: %s + Rutes: %s + Rutes IPv6: %s + Envia el fitxer de registre + Envia + Fitxer de registre de ICS OpenVPN + S\'ha copiat l\'entrada al porta-retalls + Mode Tap + No es pot utiltizar el mode tap amb la api no rootejada. L\'aplicació no suporta tap + FAQ + Preguntes frequents + Copiant entrades de registre + Acces directe per inciar + Encriptació + Introduïu el mètode d\'encriptació + Autentificació/Encriptació + Explorador de fitxers + Fitxer en linea + Importa + Error important el fitxer + No s\'ha pogut importar el fitxer del sistema de fitxers + [[Inline file data]] + Importa el perfil d\'un fitxer ovpn + Importa + No s\'ha pogut llegir el fitxer a importar + Error llegint el fitxer de configuració + afegir un Perfil + S\'ha llegit el fitxer de configuració. + Importa + IPv4 + IPv6 + Esperant el missatge d\'estat... + Perfil importat + Perfil importat %d + Imatges trencades + Contrasenya de la clau privada + Contrasenya + Icona del fitxer + Autentificació TLS + Configuració generada + Configuració General + Corregir els permisos de /dev/tun + Mostra el fitxer de configuració d\'OpenVPN generat + Editant \"%s\" + Construint la configuració... + Reconecta al canviar de xarxa + Estat de la xarxa %s + Selecciona + Mostra la finestra de registre + Mostra les estadístiques de trafic + Traducció al catala per Sergi Almacellas +<sergi@koolpi.com> + IP i DNS + Bàsic + Ruting + Avançat + Inici rapid + Utilitzant el proxy %1$s %2$d + Utiliza el proxy del sistema + Torna a conectar al reiniciar + Ignorar + Reinicia + Els canvis de configuració s\'apliquen desprès de reinicar la VPN. (Re)inicar la VPN ara? + S\'ha canviat la configuració + Notificacions duplicades + No s\'han definit cap perfil. + Configuració del Ruting/Interficies + Traducció + Registre OpenVPN + Importa la configuració OpenVPN + Consum de la bateria + diff --git a/res/values-it/arrays.xml b/res/values-it/arrays.xml new file mode 100755 index 00000000..551ac746 --- /dev/null +++ b/res/values-it/arrays.xml @@ -0,0 +1,27 @@ + + + + + Certificati + File PKCS12 + Certificato Android + Utente/Password + Chiavi statiche + Utente/password + Certificati + Utente/Passowrd + PKCS12 + Utente/Passsword + Android + + + 0 + 1 + Non specificato + + + Log disattivato + Log default + Log più dettagliato + 3 + 4 + Log per debug + + diff --git a/res/values-it/strings.xml b/res/values-it/strings.xml new file mode 100755 index 00000000..ccd66dc6 --- /dev/null +++ b/res/values-it/strings.xml @@ -0,0 +1,178 @@ + + + + OpenVPN per Android + Indirizzo server: + Porta del server: + Posizione + La cartella non può essere letta! + Seleziona + Annulla + Nessun dato + Compressione LZO + Nessun certificato + Certificato client + Chiave del certificato client + File PKCS12 + Certificato CA + Nessuna selezione + Codice sorgente ed elenco dei rilasci disponibile su + Il programma utilizza i seguenti componenti. Fare riferimento alle relative fonti per tutti i dettagli relativi alle licenze + Informazioni + Informazioni su OpenVPN per Android + Elenco connessioni VPN configurate + Profili VPN + Tipo + Password PKCS12 + Seleziona… + Nulla selezionato + Usa autenticazione TLS + Direzione TLS + Inserire l\'indirizzo IPv6/maschera di rete in formato CIDR (ad esempio 2000:dd::23/64) + Inserire l\'indirizzo IPv4/maschera di rete in formato CIDR (ad esempio 1.2.3.4/24) + Indirizzo IPv4 + Indirizzo IPv6 + Inserire le opzioni personalizzate di OpenVPN. Utilizzare con attenzione. Si ricorda che molte delle impostazioni relative a OpenVPN non sono attualmente supportate da progetto. Se pensate che qualcuna di queste sia indispensabile, contattare l\'autore + Utente + Password + Per la configurazione statica le chiavi TLS di autenticazione saranno utilizzate come chiavi statiche. + Configura la VPN + Aggiungi profilo + Immettere un nome per identificare il nuovo profilo + Nome del profilo duplicato + Nome del profilo + Nessun certificato utente selezionato. + Nessun errore trovato + Errore nella configurazione + Impossibile analizzare l\'indirizzo IPv4 + Non è possibile analizzare le informazioni di routing personalizzate + Lasciare vuoto per eseguire una interrogazione a richiesta + Collegamento a OpenVPN + Connesso alla VPN + Profilo indicato nel collegamento non trovato + Host prefix casuale + Aggiunge 6 caratteri casuali prima dell\'hostname + Abilita le opzioni personalizzate + Specifica opzioni personalizzate. Utilizzare con cautela! + \"Rotta\" rifiutata da Android + Scollega + Cancella registro + Annulla conferma + Scollegare la VPN collegata o annullare il tentativo di connessione? + Rimuovi VPN + Controlla se il server utilizza un certificato Server TLS + Ad eccezione del server TLS + Controlla il certificato del server remoto confrontandolo con una stringa + Verifica il certificato dell\'Host + Abilita l\'autenticazione tramite TLS + File di autenticazione TLS + Richiede indirizzi IP, instradamenti r opzioni di sincronizzazione dal server. + Nessuna informazione è chiesta al server. Le impostazioni devono essere specificate di seguito. + DNS + Sovrascrive le impostazioni DNS del server + Utilizzare il proprio server DNS + Dominio di ricerca + Server DNS da utilizzare. + Server DNS + Server DNS secondario utilizzato se il Server DNS primario non può essere raggiunto. + Server DNS secondario + Ignora gli instradamenti dati dal server + Reindirizza tutto il traffico sulla VPN + Utilizza il Routing di default + Rotte personalizzate + Livello di dettaglio del registro + Permette pacchetti autenticati da qualsiasi IP + Opzioni personalizzate + Modifica impostazioni VPN + Rimuovere il profilo VPN %s? + In alcune immagini ICS personalizzate i permessi su /dev/tun potrebbero essere errati, oppure il modulo TUN completamente assente. Per le immagini CM9 provare a correggere le opzioni Proprietà nella sezione impostazioni generali + Apertura dell\'interfaccia tun non riuscita. + "Errore:" + Azzera + Info + Visualizza i dettagli della connessione + Ultima configurazione interfaccia OpenVPN: + IPv4 locale: %1$s/%2$d IPv6: %3$ s MTU: %4$ d + Server DNS: %s + Dominio DNS: %s + Rotte: %s + Rotte IPv6: %s + %1$s%2$s + Inviare il file di log + Invia + File log di OpenVPN ICS + Voce di registro copiata negli appunti + Modalità TAP + La modalità TAP non è disponibile con le VPN API non root + Ancora? Stai scherzando? La modalità TAP non è realmente supportata ed inviare ulteriori richieste via mail di sicuro non aiuta! + Per la terza volta?In realtà si potrebbe scrivere un emulatore TAP basato su TUN che aggiunge le informazioni di Layer 2 in uscita e le elimina in ingresso. Ma questo emulatore TAP dovrebbe anche implementare ARP e un client DHCP. Non sono a conoscenza di nessuno che stia realizzando qualcosa del genere. Contattami se vuoi iniziare a scrivere del codice a riguardo. + Domande frequenti + Domande più frequenti e qualche consiglio + Copia le voci di log + Per copiare una singola voce del log, premi e mantieni sulla voce del log. Per copiare/inviare l\'intero log usa l\'opzione \"Manda log\". +Usa il tasto hardware Menù se non è visibile nella GUI. + Scelta rapida per avviare + È possibile inserire un collegamento per avviare OpenVPN sul desktop. A seconda del vostro launcher dovrete aggiungere un collegamento o un widget. + La tua immagine non supporta le API VPNService, mi dispiace :( + Codifica + Inserire il metodo di crittografia + Inserisci la chiave di cifratura per OpenVPN. Lascia vuoto per usare la chiave di cifratura predefinita + Autenticazione/crittografia + Esplora risorse + Importa + Errore durante l\'importazione di File + Impossibile importare il file dal filesystem + importa il profilo dal file .ovpn + Importa + Impossibile leggere il profilo da importare + Errore di lettura del file di configurazione + Aggiungi profilo + Provando a leggere il file: %1$s + Impossibile trovare il file %1$s menzionato nel file di configurazione importato + Importa il file di configurazione da fonte %1$s + La tua configurazione ha avuto alcune opzioni che potevano essere analizzate. Queste opzioni sono state aggiunte come opzioni di configurazione aggiuntive. Le opzioni di configurazione aggiuntive sono visionabili qui sotto: + +Effettuata la lettura del file di configurazione + Importa file di configurazione + Considerazioni sulla sicurezza + Importa + Errore nel mostrare il certificato selezionato + Incappato in una eccezione provando a mostrare la finestra di selezione dei certificati di Android 4.0+. Questo non dovrebbe mai accadere poiché questa è una feature standard di Android 4.0+. Forse si è corrotto il supporto per la conservazione dei certificati della tua ROM di Android + IPv4 + IPv6 + In attesa del messaggio di stato... + profilo importato + profilo importato %d + Immagini danneggiate + L\'username non deve essere vuoto. + Password della chiave privata + Password + icona del file + Autenticazione TLS + Configurazione generata + Impostazioni generali + Correggi i diritti su /dev/tun + Modifica \"% s\" + Configurazione dell\'edificio... + Stato della rete: %s + Selezionare + Visualizza la finestra dei log + Visualizza le statistiche sul traffico + Avviso di connessione e notifica audio + IP e DNS + Base + Instradamento (routing) + Avanzate + Configurazione OpenVPN ICS + Avvio rapido + Prova a caricare il modulo tun.ko prima di connettersi. Si devono avere diritti di root sul dispositivo. + Ignora + Riavvia + Le modifiche sarannoi applicate dopo aver riavviato la connessione VPN. Riavviare ora la connessione? + Configurazione modificata + Traduzione + Log di OpenVPN + Importa configurazione OpenVPN + Consumo della batteria + Nei miei test la causa principale per il consumo elevato della batteria di OpenVPN sono i pacchetti keepalive. La maggior parte dei server OpenVPN hanno una direttiva di configurazione tipo \' keepalive 10 60\', che si traduce in un pacchetto keepalive dal client al server e al client ogni dieci secondi. <p> Anche se questi pacchetti sono piccoli e non utilizzano drandi quantità di traffico, tengono occupata la rete radio mobile e aumentano il consumo di energia. <p> Non è possibile modificare il settaggio keepalive sul client. Solo l\'amministratore di sistema dell\'OpenVPN può modificare l\'impostazione. Purtroppo <p> utilizzando un keepalive maggiore di 60 secondi, udp ha problemi con alcuni gateway NAT che terminano lo stato per garantire una connessione dopo un timeout breve (60 secondi nei miei test). Utilizzare TCP keepalive lungo funziona, ma si crea un problema di TCP su TCP. (Vedere < un href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\" > perché TCP Over TCP è A Bad Ide </a>) + diff --git a/res/values-ja/arrays.xml b/res/values-ja/arrays.xml new file mode 100755 index 00000000..c2428a74 --- /dev/null +++ b/res/values-ja/arrays.xml @@ -0,0 +1,27 @@ + + + + + 証明書 + PKCS12 ファイル + Androidの証明書管理 + ユーザー名/パスワード + 共有鍵 + User/PWと証明書 + User/PWとPKCS12ファイル + User/PWとAndroidの証明書管理 + + + 0 + 1 + 未指定 + + + 0 - ログなし + 1 - 標準的なログ + 2 - 詳細なログ + 3 + 4 + 5 - デバッグログ + + diff --git a/res/values-ja/strings.xml b/res/values-ja/strings.xml new file mode 100755 index 00000000..ff747efa --- /dev/null +++ b/res/values-ja/strings.xml @@ -0,0 +1,274 @@ + + + + OpenVPN for Android + サーバアドレス + ポート番号 + 場所 + フォルダが読み取れません + 選択 + キャンセル + データなし + LZO 圧縮 + 証明書がありません。 + クライアント証明書 + クライアント証明書のキー + PKCS12ファイル + CA 証明書 + 選択なし + ソースコードと問題管理は以下で: http://code.google.com/p/ics-openvpn/ + プログラムは、次のコンポーネントを使用します。完全な詳細についてはソース上のライセンスを参照してください。 + バージョン情報 + OpenVPN for Androidについて + 設定されたすべてのVPN + VPNプロファイル + 種別 + PKCS12のパスワード + 選択 + 選択なし + TLS認証を使用する + TLS Direction + IPv6アドレスをCIDR形式で入力(例:2000:dd::23/64) + IPv4アドレスをCIDR形式で入力(例:1.2.3.4/24) + IPv4アドレス + IPv6アドレス + OpenVPNのカスタムオプションを入力します。利用には細心の注意が必要です。設定画面ではTUNモジュールの多くの設定がサポートされていません。もしほかに重要と思う設定があれば作者に連絡してください。 + ユーザー名 + パスワード + TLS認証鍵の設定は、静的キーとして使用されます。 + VPNの設定 + プロファイルの追加 + 新しいプロファイルを識別する名前を入力します + プロファイル名が重複しています。 + プロファイル名 + ユーザー証明書が選択されていません。 + エラーは見つかりませんでした。 + 設定に誤りがあります。 + IPv4 アドレスを解析できません。 + カスタムの経路情報を解析することができません。 + 必要に応じて入力するには空欄にしてください + OpenVPN のショートカット + VPNに接続 + ショートカットで指定されたプロファイルが見つかりません + ランダムなホスト プレフィックス + ランダムな6文字をホスト名の前に付加します。 + カスタム オプションを有効にします。 + カスタムオプションを指定します。注意を要します。 + 経路がAndroidにより拒否されました。 + 切断 + ログをクリア + キャンセルの確認 + 接続中または試行中の接続をキャンセルしますか? + VPN を削除 + サーバがTLSサーバ証明書を使用する場合はチェックします。 + TLS サーバーを除く + リモートサーバの証明書のCNをチェックする + 証明書のホスト名を確認する + リモートサーバをチェックする際の文字列を指定します。OpenVPNでは前方一致を行います。\"Server\"は\"Server-1\"と\"Server-2\"にマッチします。\n +空欄にすると、CNとサーバのホスト名を比較します。 + リモートホスト名(CN) + TLS鍵認証を有効にする + TLS 認証ファイル + IPアドレス、経路情報、DNSなどの情報をサーバから取得 + サーバからは何も情報が取得できません。指定が必要な設定は以下の通りです。 + 情報取得の設定 + DNS + サーバ指定のDNSサーバ設定をオーバーライドします。 + DNSをユーザ側で指定します。 + 検索ドメイン + 使用する DNS サーバー + DNS サーバー + セカンダリDNSサーバーは、プライマリDNSサーバーに到達できない場合に使用します。 + セカンダリDNSサーバー + サーバ側指定の経路情報を無視する + + すべての通信をVPN経由にする + 既定の経路を使用 + カスタム経路を入力します。宛先のみをCIDR形式で指定します。例えば \"10.0.0.0/8 2002::/16\"と指定すれば10.0.0.0/8と2002::/16への通信はVPNに向けられます。 + カスタム経路情報 + ログの詳細度 + 認証済みパケットをどのIPからでも受け付ける + フローティング サーバーを許可 + カスタム オプション + VPN 設定の編集 + VPN プロファイル %s を削除しますか? + いくつかのカスタムICSイメージは、/dev/tunのパーミッションが異常か、TUNモジュールが含まれていません。CM9イメージの場合は全般設定で所有権設定を修正してください。 + TUNデバイスを開こうとして失敗しました。 + "エラー:" + クリア + 情報 + 接続の詳細を表示 + OpenVPNから設定した最後のインターフェイス: + ローカル IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d + DNS サーバー: %s + DNS ドメイン: %s + 経路:%s + 経路 IPv6:%s + インターフェース情報として[%1$s]と[%2$s]を取得しました。2つめのアドレスはリモート側のピアアドレスです。32ビットマスクをローカルIPに使用します。 OpenVPNのモードは[%3$s]です。 + %1$sと%2$sではCIDR形式のIP経路情報として意味をなしません。32ビットマスクを使用します。 + 経路情報%1$s/%2$sを%3$s/%2$sに修正しました。 + Androidの証明書管理にアクセスできません。(ファームウェアの更新、アプリケーションまたはその設定のリストアによって発生する場合があります)。VPNの設定で証明書の選択を再度行ってください。 + %1$s %2$s + ログ ファイルを送信します。 + 送信 + ICS OpenVPN ログ ファイル + クリップ ボードにコピーされたログ エントリ + TAPモード + TAPモードは非root化環境では動作しません。よってこのアプリケーションではTAPをサポートできません。 + まだ試しますか?TAPモードはサポートされていませんし、サポートされるかどうかメールを送ることは何の役にも立ちません。 + 3回目です。本当のところ、TUN上で動くレイヤ2エミュレータを書くことはできました。(送信時の情報追加と受信時の情報削除で)。しかしこのエミュレータはARPやおそらくはDHCPをも実装しなければならないでしょう。誰もこのことに気がついていません。もしあなたがこの機能を作る気になったのであれば、どうぞ私に連絡してください。 + + よくある質問 + よくある質問といくつかのアドバイス + ログ エントリをコピーします。 + 1行のログエントリをコピーするには、そのエントリをタッチし続けます。コピー/送信するには「ログエントリを送信」を使用します。GUIで表示されない場合はハードウェアのメニューボタンを使用してください。 + 起動ショートカット + OpenVPNを起動するためのショートカットをデスクトップに配置できます。ショートカットやウィジェットを配置できるかどうかはホームスクリーンプログラムに依存します。 + 申し訳ありませんが、お使いの環境ではVPNサービスがサポートされていません。 + 暗号化 + 暗号化方式を入力 + OpenVPNに使用する暗号キーを入力してください。デフォルト値を使用する場合は空欄にしてください。 + 認証/暗号化 + ファイルを選択 + インライン ファイル + インポート + ファイルのインポート エラー + ファイルシステムからファイルをインポートできませんでした。 + [インライン ファイル データ] + IP情報なしでのTUNデバイス使用は拒否しています + OVPNファイルからプロファイルをインポート + インポート + インポートするプロファイルを読み取れませんでした。 + 構成ファイルの読み取りエラー + プロファイルの追加 + ファイルを読み取ろうとしています: %1$s + インポートされた構成ファイルに記載されたファイル %1$s が見つかりません。 + 構成ファイルを%1$sからインポートしています。 + いくつかの設定が解析されました。これらはカスタムオプションとして設定に追加されています。カスタムオプションは以下の通りです。 + 構成ファイルの読み取り終了。 + ローカル アドレスとポートにバインドを行いません。 + ローカルバインドしない + 構成ファイルのインポート + セキュリティに関する考慮事項 + OpenVPNがセキュリティに敏感であるように、セキュリティに関してのいくつかの注意事項は理にかなっています。 +SDカード上のデータは本質的に無防備です。すべてのアプリケーションが読み取り可能です。(たとえばこのプログラムはSDカードへの特別な読み取り許可を必要としていません) +このアプリケーションのデータは、自分自身のみが読み取り可能です。インポートされた証明書類はVPNプロファイルに保存されています。VPNプロファイルはこのアプリケーションからのみアクセス可能です。(あとでSDカード上のファイルを消すのを忘れないでください) +ただし、このアプリケーションからのみ読み取り可能ではあるものの、暗号化されてはいません。 +機体をroot化したり、あるいはその他の脆弱性によってファイルは読み取ることが可能かもしれません。パスワードは平文で保存されています。PKCS12ファイルをAndroidの証明書管理機能にインポートして使用することが強く推奨されます。 + インポート + 証明書の選択でエラーが表示されます + Android 4.0以降の証明書選択ダイアログ表示で例外を検知しました。 +この事象は標準的なAndroid 4.0以降では発生しません。お使いのAndroidの証明書管理機構が壊れている可能性があります。 + IPv4 + IPv6 + 状態メッセージを待っています。 + インポートされたプロファイル + インポートされたプロファイル %d + 壊れたイメージ + <p>HTCの公式OSイメージはトンネルにトラフィックを流せないという奇妙な経路問題を抱えています。(詳しくはバグトラッカーを参照 <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a>)</p> +<p>SONYの公式OSイメージのうちXperia arc SとXperia Rayでは、VPNServiceが含まれていないと報告されています。その他の公式OSイメージにも同様の影響があるかもしれません。(詳しくはバグトラッカーを参照 <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a>)</p> +<p>カスタムビルドのOSイメージの場合、TUNモジュールが含まれていなかったり、/dev/tunの権限が間違っていることがあります。いくつかのCM9のイメージでは全般設定で所有権の修正を行う必要があります。</p> +<p>最も重要なこと:もしおかしなOSイメージがあったら、製作者に問題を報告してください。より多くの人が問題を製作者に報告すれば、問題は修正されるでしょう。</p> + + ユーザ名を空に設定することはできません + PKCS12ファイルの暗号化キー + 秘密鍵のパスワード + パスワード + ファイルのアイコン + TLS認証 + 生成された構成 + 全般設定 + システムに/dev/tunの所有者を設定します。いくつかのCM9のイメージでVPNService APIを動作させるために必要です。root権限が必要です。 + /dev/tun の所有権を修正します。 + 生成された OpenVPN の構成ファイルを表示します + \"%S\"の編集 + 構成中・・・ + この設定を有効にすると、ネットワークの状態変化時(WiFi/モバイル)に再接続を行います + ネットワーク変化時に再接続 + \'%s\'の証明書をキーストアから読み出し + ネットワーク状態: %s + 認証局証明書(CA cert)は、通常、Android のキーストアから返されます。証明書の検証でエラーになる場合は、個別の証明書を指定します。 + 選択 + 認証局証明書(CA Cert)がAndroidのキーストアから取得できませんでした。認証はおそらく失敗します。 + 接続時にログウィンドウを表示します。ログウィンドウは常に状態通知からアクセスできます。 + ログウィンドウを表示 + トラフィック統計を表示するために、接続中は状態通知を表示し続ける + トラフィック統計を表示 + 実行中:%1$s (%2$s)%3$s Android API %4$d + Androidキーストアに保存されたキー %1$s: %2$sの署名エラーです + VPN接続の警告は、このアプリケーションがVPNService APIを悪用してすべての通信を傍受できることを、システムがあなたに知らせるものです。\n +VPN接続通知(鍵の形)は、VPN接続が稼働中であることをAndroidが知らせています。いくつかのシステムではこの通知で音を鳴らします。\n +Androidはあなた自身の安全性のために、これらを迂回できないようにしています。(いくつかのシステムでは、遺憾ながら音も伴います) + 接続時の警告と通知音 + 日本語版翻訳 Artin. <tools@artin.nu> + IPとDNS + 基本 + 経路設定 + 特殊なOpenVPNの設定。通常は必要ありません + 高度 + ICSのOpenVPN設定 + 使用されている DNS サーバーはありません。名前解決は動作しません。DNSサーバーの設定を見直してください。 + DNSサーバ \"%1$s\" の追加に失敗しました。%2$sに拒否されました。 + <p>動作確認済の設定ファイルを入手します。(あなたのコンピュータでテスト済のものや、プロバイダや会社などの組織からダウンロードしたもの)</p> +<p>もしそれが単一のファイルでpemやpks12ファイルを伴わないなら、自分宛のメールに添付して送付し、それを開いてください。もし複数のファイルで構成されているならSDカードに格納してください。</p> +<p>メールの添付ファイルを開く、あるいはVPNリストのフォルダアイコンをクリックして設定ファイルをインポートします。</p> +<p>もし、ファイルが足りないというエラーが表示されたら、足りなかったファイルをSDカード上に格納してください。</p> +<p>インポートされたVPN設定をリストに追加するには、保存アイコンをクリックします。t</p> +<p>VPNを接続するには、VPNの名称をクリックします。</p> +<p>もし警告やエラーがログエントリに表示されたら、それらを調べて解決してください。</p> + + クイックスタート + 接続の試行前にTUNデバイスモジュール(tun.ko)を読み込みます。デバイスのroot化が必要です。 + TUNモジュールをロード + PKCS12の設定をAndroidのキーストアにインポートします + プロキシ設定でエラー: %s + プロキシを使用します %1$s %2$d + システムのプロキシ設定を使用します + システム全体の構成の HTTP/HTTPS プロキシ接続を使用します。 + 以下のURLで寄付いただけます。 +<a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\"> + + OpenVPNはシステムの再起動やシャットダウン時に再接続するようになります。このオプションを使用する前にFAQをご一読ください。 + システム起動後に再接続 + 無視 + 再起動 + 設定の変更はVPNの再起動後に反映されます。VPNを(再)起動しますか? + 設定が変更されました + 編集されたため、最後に接続したプロファイルを確認できませんでした + + 重複した通知 + もしAndroidがメモリ不足に陥った場合、その時点で必要とされないアプリケーションやサービスはアクティブなメモリから排除されます。 +この処理に伴い、VPN接続は終了されます。 +OpenVPNの接続を保証するためには、アプリケーションを高い優先度で稼働させます。 +高い優先度でアプリケーションを稼働させる場合、アプリケーションは通知を表示しなければなりません。 +鍵の形をした通知アイコンは、先述のFAQにあるとおりシステムにより表示させられたものです。 +高い優先度で稼働するための通知はアプリケーションの通知には含まれません。 + VPNのプロファイルが定義されていません + 新しいVPNを追加するには <img src=\"ic_menu_add\"/> のアイコンを使用します + SDカードからプロファイル(.ovpnや.conf)をインポートするには <img src=\"ic_menu_archive\"/> のアイコンを使用します。 + FAQを確認してください。クイックスタートガイドがあります。 + リモートTLSをOpenVPN 2.2形式から2.3形式に変換します + 経路情報/インターフェース設定 + 経路設定とインターフェース設定は伝統的なifconfig/routeコマンドでは行われず、VPNService APIを使用して行われます。 +この結果は、ほかのOSの経路設定とは異なります。 +設定はトンネルのIPのみで成立し、ネットワークへの経路設定はこのインターフェースを通して行われます。 +とりわけ、ピアパートナーやゲートウェイアドレスを必要としません。 +VPNサーバへの特別な経路(たとえばリダイレクトゲートウェイ)は必要ありません。 +従って、OpenVPNは設定のインポート時に、これらの設定を無視します。 +VPNService APIを使用してサーバに接続するアプリケーションはVPNトンネルを経路設定していなくても保証されます。 +トンネルを指定しないその他の経路設定はサポートされません。(たとえば route x.x.x.x y.y.y.y net_gateway) +ログウィンドウの情報表示ボタンは、現在のVPNServiceのネットワーク設定を表示します。 + OpenVPNが再接続試行中は、VPNなし状態を報告しない + 永続的なTUNデバイス + 翻訳 + OpenVPN のログ + OpenVPN の構成のインポート + バッテリー消費量 + 私の個人的な検証では、OpenVPNの高いバッテリ消耗の主要因はkeepaliveパケットです。 +大半のOpenVPNサーバは\'keepalive 10 60\'のような設定を持っており、これは10秒ごとにクライアントとサーバで相互にkeepaliveパケットを送ることを意味します。 +<p> これらのパケットは小さく、大きな帯域は要しませんが、通信機能を稼働させ続け電力消費を増大させます。 +<p> このkeepaliveの設定はクライアント側からは変更できません。システム管理者のみがOpenVPNの設定を変更できます。 +<p> 残念ながら60秒より大きなkeepaliveの間隔は、いくつかのNATゲートウェイにおいては接続状態が維持できずそれより短い間隔でタイムアウトします。(私の検証では60秒) +TCPモードと長めのkeepaliveタイムアウトは動作しますが、しかしTCP over TCP問題を引き起こします。(<a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">TCP over TCPは何故悪いのか</a>を参照) + + diff --git a/res/values-nl/arrays.xml b/res/values-nl/arrays.xml new file mode 100755 index 00000000..9be2a9d4 --- /dev/null +++ b/res/values-nl/arrays.xml @@ -0,0 +1,27 @@ + + + + + Certificaten + PKCS12 Bestand + Android Certificaat + Gebruikersnaam/Wachtwoord + Statische Sleutels + Gebruiker/WW + Certificaten + Gebruiker/WW + PKCS12 + Gebruiker/WW + Android + + + 0 + 1 + Niet-gespecificeerd + + + 0 - Geen logboek + 1 - Standaard logboek + 2 - Uitgebreid logboek + 3 + 4 + 5 - Debug logboek + + diff --git a/res/values-nl/strings.xml b/res/values-nl/strings.xml new file mode 100755 index 00000000..40140e99 --- /dev/null +++ b/res/values-nl/strings.xml @@ -0,0 +1,121 @@ + + + + OpenVPN voor Android + Server Adres: + Server Poort: + Locatie + map onleesbaar! + Selecteer + Annuleer + Geen Gegevens + LZO Compressie + Geen Certificaat + Client Certificaat + Client Certificaat Sleutel + PKCS12 Bestand + CA Certificaat + Niets geselecteerd + Broncode en probleem tracker zijn beschikbaar via http://code.google.com/p/ics-openvpn/ + Het programma gebruikt de volgende componenten. Zie de broncode voor volledige details over de licenties + Over + Over OpenVPN voor Android + Lijst van alle geconfigureerde VPN verbindingen + VPN Profielen + Type + PKCS12 Wachtwoord + Selecteer… + Niets Geselecteerd + Gebruik TLS autentificatie + TLS Richting + Voer een IPv6 Adres/Netmask in met het CIDR Formaat (v.b. 2000:dd::23/64) + Voer een IPv4 Adres/Netmask in met het CIDR Formaat (v.b. 1.2.3.4/24) + IPv4 Adres + IPv4 Adres + Gebruikersnaam + wachtwoord + Voor de statische configuratie worden de TLS Auth keys als statische keys gebruikt. + VPN configureren + Profiel toevoegen + Voer een naam in voor het nieuwe Profiel + Dubbele Profielnaam + Profiel name + Geen Gebruikerscertificaat geselecteerd. + Geen fout. + Fout in de configuratie + Het IPv4 adres is foutief + De aangepaste route is foutief + Open VPN shortcut + Met VPN verbinden + Het profiel zoals aangegeven in de snelkoppeling kon niet gevonden worden. + Willekeurig Host Voorvoegsel + Voegt 6 willekeurige tekens toe voor de hostname + Eigen configuratie opties + Geef je eigen configuratieopties aan. Wees voorzichtig! + Route geweigert door Android + Verbinding verbreken + logboek wissen + Annuleer bevestiging + Sluit de verbonden VPN af/annuleer de verbindingspoging? + VPN wissen + Checkt of de server een TLS server certificaat gebruikt. + Controleer Certificaat Hostname + Externe Hostname(CN) + TLS Auth Bestand + Vraag IP adres, routes en timing opties van de server. + Pull Instellingen + DNS + DNS Instellingen van Server Overschrijven + Gebruik eigen DNS Servers + Zoekd domein + Primaire DNS server + DNS Server + Secundaire DNS server. Deze wordt gebruikt voor het geval dat de primaire DNS server niet bereikbaar is + Backup DNS server + Negeer ontvangen routes + Negeer routes ontvangen van de server. + Leid al het Verkeer over de VPN + Gebruik standaard Route + Eigen routes + Geverifieerde pakketen zijn vanuit elk IP toegestaan + Zwevende server toestaan + Aangepaste Opties + VPN Instellingen Bewerken + Verwijder het VPN Profiel %s? + Het openen van de tun interface ging verkeerd. + "Fout:" + Leeg maken + info + Details van de verbinding weergeven + Laatste interfaceconfiguratie van OpenVPN: + Lokaal IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d + DNS Server: %s + DNS Domein: %s + Routes: %s + Routes IPv6: %s + %1$s %2$s + Logboek verzenden + Verzenden + Tap mode + De VPN API van Android werkt zonder rooten van de telefoon en ondersteunt alleen de tun modus. Daarom is de tap modus niet mogelijk met deze app. + Alweer dit? Serieus? Nee, de tap modus kan écht niet gebruikt worden. Het helpt ook niet om mij met de vraag wanneer dit wél mogelijk is te mailen. + configuratie bestand importeren + Beveiligingsoverwegingen + Importeren + Fout bij het weergeven van de certificaat selectie + IPv4 + IPv6 + Wachten op status bericht… + Geïmporteerd profiel + Geïmporteerd profiel %d + Niet Werkende Afbeeldingen + De gebruikersnaam moet niet leeg zijn. + PKCS12 Bestand Encryptie Sleutel + Privé Sleutel Wachtwoord + Wachtwoord + bestands pictogram + TLS Verificatie + Gegenereerde Configuratie + Algemene Instellingen + IP en DNS + diff --git a/res/values-no/arrays.xml b/res/values-no/arrays.xml new file mode 100755 index 00000000..a5a6b76d --- /dev/null +++ b/res/values-no/arrays.xml @@ -0,0 +1,27 @@ + + + + + Sertifikater + PKCS12 fil + Android sertifikat + Brukernavn/passord + Statiske nøkler + Brukernavn/Passord + sertifikater + Brukernavn/Passord + PKCS12 + Brukernavn/Passord + Android + + + 0 + 1 + Uspesifisert + + + 0 - Ingen Logging + 1 - Standard logging + 2 - Mer detaljert logging + 3 + 4 + 5 - feilsøke logging + + diff --git a/res/values-no/strings.xml b/res/values-no/strings.xml new file mode 100755 index 00000000..17ab1ac0 --- /dev/null +++ b/res/values-no/strings.xml @@ -0,0 +1,152 @@ + + + + OpenVPN for Android + Server adresse: + Server port: + Plassering + mappen kan ikke leses! + velg + Avbryt + Ingen Data + LZO-komprimering + Ingen sertifikat + Klient sertifikat + Klientsertifikat nøkkel + PKCS12 fil + CA-sertifikat + Ingenting er valgt + Kildekoden og problemsporing er tilgjengelig under http://code.google.com/p/ics-openvpn/ + Programmet bruker følgende komponenter. Se kilden for full informasjon om lisensene + Om + Om OpenVPN for Android + Liste over alle konfigurerte VPN-tilkoblinger + VPN-profiler + Type + PKCS12 passord + Velg... + Ingenting valgt + Bruke TLS-godkjenning + TLS-retning + Angi IPv6-adresse/nettmaske i CIDR format (f.eks 2000:dd::23/64) + Angi IPv6-adresse/nettmaske i CIDR format (f.eks 1.2.3.4/24) + IPv4-adresse + IPv6-adresse + Brukernavn + Passord + Konfigurer VPN + Legge til profil + Angi et navn som identifiserer den nye profilen + Profilnavnet finnes allerde + Profilnavn + Ingen brukersertifikat er valgt. + Ingen feil funnet + Feil i konfigurasjonen + Kan ikke tolke IPv4-adressen + Kan ikke tolke de egendefinerte rutene + OpenVPN snarvei + Koble til VPN + Tilfeldig vert prefiks + Aktiver egendefinerte valg + Koble fra + Tøm logg + Avbryt bekreftelse + Fjern VPN + TLS-Auth-fil + DNS + Bruk din egen DNS-server + DNS-Server som skal brukes. + DNS-server + Bruk standard rute + Egendefinert rute + Detaljnivå for Logging + Egendefinerte valg + Rediger VPN-innstillinger + Fjerne VPN profilen %s? + "Feil:" + Fjern + info + Vis Tilkoblingsdetaljer + DNS-server: %s + DNS-domene: %s + Ruter: %s + %1$s %2$s + Send loggfilen + Send + ICS OpenVPN loggfil + Tap modus + FAQ + Vanlige spørsmål og noen råd + Kopier loggoppføringer + Snarvei til start + Kryptering + Angi krypteringsmetode + Autentisering/kryptering + Filutforsker + Importer + Feil ved import av fil + Kunne ikke importere filen fra filsystemet + Importer profil fra ovpn-fil + Importer + Kan ikke lese profil for importering + Feil under lesing av config-filen + legg til profil + Forsøker å lese filen: %1$s + Finner ikke filen %1$s nevnt i importert konfigurasjons fil + Importerer konfigurasjonsfilen fra kilde %1$s + Ferdig med å lese konfigurasjons-filen. + Ingen lokale binding + Importer konfigurasjonsfil + Sikkerhetsvurderinger + Importer + Feil ved visning av sertifikatvalg + IPv4 + IPv6 + Venter på tilstands melding... + importert profil + importert profilen %d + Ødelagte bilder + Brukernavnet kan ikke være tomt. + PKCS12 Filkrypteringsnøkkel + Privat nøkkel passord + Passord + fil ikon + TLS-godkjenning + Generert konfigurasjon + Generelle innstillinger + Fiks eierskap av /dev/tun + Rediger \"%s\" + Lager konfigurasjon... + Koble til på nytt ved nettverks endring + Nettverksstatus: %s + Velg + Vis logg-vindu + Vis trafikk-statistikk + Kjører på %1$s (%2$s) %3$s, Android API %4$d + Norsk oversettelse av Jonny + IP og DNS + Grunnleggende + Ruting + Avansert + ICS Openvpn konfigurasjon + Hurtigstart + Prøv å laste tun.ko kjernemodul før tilkobling. Krever at enheten er rootet. + Last tun modul + Feil ved henting av proxy-innstillinger: %s + Bruker proxy %1$s %2$d + Bruk systemet proxy + Bruk global systemkonfigurasjon for HTTP/HTTPS proxy for å koble til. + Du kan <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donere med PayPal</a> + Koble til på nytt ved restart + Ignorer + Start på nytt + Konfigurasjon endret + Kopier varsler + Ingen VPN-profiler er definert. + Ruting/grensesnitt-konfigurasjon + Ikke gå tilbake til ingen VPN-tilkoblingen mens OpenVPN kobler til på nytt. + Oversettelse + OpenVPN Logg + Importer OpenVPN konfigurasjon + Batteriforbruk + diff --git a/res/values-zh-rCN/strings.xml b/res/values-zh-rCN/strings.xml index 730b2add..34c1836d 100755 --- a/res/values-zh-rCN/strings.xml +++ b/res/values-zh-rCN/strings.xml @@ -129,6 +129,7 @@ 等待状态消息 已导入配置文件 已导入配置文件 %d + 图像已损坏 用户名不能为空。 PKCS12 文件加密密钥 私钥密码 @@ -158,6 +159,8 @@ 载入 tun 模块 将 PKCS12 导入 Android 密钥库 获取代理设置时出错:%s + 使用代理 %1$s %2$d + 使用系统代理 重启时重新连接 忽略 重启 -- cgit v1.2.3 From c0ada659bb13c0c008ff78cc31f9c65fe5ce55c2 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 14 Dec 2012 12:58:27 +0100 Subject: Update openvpn to Dual Stack version --- openvpn/.gitignore | 2 + openvpn/config.h | 2 +- openvpn/configure.ac | 2 +- openvpn/doc/management-notes.txt | 28 + openvpn/doc/openvpn.8 | 82 ++- openvpn/src/openvpn/buffer.c | 10 + openvpn/src/openvpn/buffer.h | 5 + openvpn/src/openvpn/error.c | 8 +- openvpn/src/openvpn/forward-inline.h | 1 + openvpn/src/openvpn/forward.c | 34 +- openvpn/src/openvpn/forward.h | 4 +- openvpn/src/openvpn/init.c | 282 ++++---- openvpn/src/openvpn/manage.c | 49 +- openvpn/src/openvpn/manage.h | 4 +- openvpn/src/openvpn/misc.c | 106 +-- openvpn/src/openvpn/misc.h | 5 - openvpn/src/openvpn/mss.c | 57 +- openvpn/src/openvpn/mss.h | 3 +- openvpn/src/openvpn/multi.c | 6 +- openvpn/src/openvpn/options.c | 346 ++++----- openvpn/src/openvpn/options.h | 41 +- openvpn/src/openvpn/pf.c | 1 - openvpn/src/openvpn/pkcs11.c | 2 +- openvpn/src/openvpn/platform.c | 27 +- openvpn/src/openvpn/platform.h | 4 +- openvpn/src/openvpn/plugin.c | 8 +- openvpn/src/openvpn/proto.c | 19 +- openvpn/src/openvpn/proto.h | 3 +- openvpn/src/openvpn/proxy.c | 10 +- openvpn/src/openvpn/proxy.h | 6 +- openvpn/src/openvpn/ps.c | 33 +- openvpn/src/openvpn/ps.h | 2 +- openvpn/src/openvpn/push.c | 2 +- openvpn/src/openvpn/route.c | 8 +- openvpn/src/openvpn/sig.c | 22 +- openvpn/src/openvpn/sig.h | 11 +- openvpn/src/openvpn/socket.c | 1302 +++++++++++++++++----------------- openvpn/src/openvpn/socket.h | 207 ++++-- openvpn/src/openvpn/socks.c | 32 +- openvpn/src/openvpn/socks.h | 6 +- openvpn/src/openvpn/ssl_polarssl.c | 2 +- openvpn/src/openvpn/tun.c | 33 +- openvpn/src/openvpn/tun.h | 4 +- openvpn/src/openvpn/win32.c | 127 +--- openvpn/version.m4 | 2 +- 45 files changed, 1476 insertions(+), 1474 deletions(-) diff --git a/openvpn/.gitignore b/openvpn/.gitignore index f762089d..a04afff7 100644 --- a/openvpn/.gitignore +++ b/openvpn/.gitignore @@ -37,6 +37,7 @@ stamp-h1 install-sh missing ltmain.sh +libtool m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 @@ -50,5 +51,6 @@ config-msvc-version.h doc/openvpn.8.html distro/rpm/openvpn.spec tests/t_client.sh +tests/t_client-*-20??????-??????/ src/openvpn/openvpn config-version.h diff --git a/openvpn/config.h b/openvpn/config.h index 6684f70d..510db135 100644 --- a/openvpn/config.h +++ b/openvpn/config.h @@ -450,7 +450,7 @@ #define PACKAGE_NAME "OpenVPN" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenVPN 2.3_beta1" +#define PACKAGE_STRING "OpenVPN 2.3_rc1+dspatch1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "openvpn" diff --git a/openvpn/configure.ac b/openvpn/configure.ac index d3d974dc..2f780b7a 100644 --- a/openvpn/configure.ac +++ b/openvpn/configure.ac @@ -934,7 +934,7 @@ if test "${enable_ssl}" = "yes"; then fi if test "${enable_crypto}" = "yes"; then - test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crytpo is required but missing]) + test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing]) OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}" AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library]) diff --git a/openvpn/doc/management-notes.txt b/openvpn/doc/management-notes.txt index a07a5142..ef39b855 100644 --- a/openvpn/doc/management-notes.txt +++ b/openvpn/doc/management-notes.txt @@ -750,6 +750,34 @@ To accept connecting to the host and port directly, use this command: proxy NONE +COMMAND -- rsa-sig (OpenVPN 2.3 or higher) +------------------------------------------ +Provides support for external storage of the private key. Requires the +--management-external-key option. This option can be used instead of "key" +in client mode, and allows the client to run without the need to load the +actual private key. When the SSL protocol needs to perform an RSA sign +operation, the data to be signed will be sent to the management interface +via a notification as follows: + +>RSA_SIGN:[BASE64_DATA] + +The management interface client should then sign BASE64_DATA +using the private key and return the SSL signature as follows: + +rsa-sig +[BASE64_SIG_LINE] +. +. +. +END + +Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a +correct signature. + +This capability is intended to allow the use of arbitrary cryptographic +service providers with OpenVPN via the management interface. + + OUTPUT FORMAT ------------- diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8 index da1c0f9e..d66bd665 100644 --- a/openvpn/doc/openvpn.8 +++ b/openvpn/doc/openvpn.8 @@ -456,13 +456,9 @@ possess a built-in reliability layer. .\"********************************************************* .TP .B \-\-connect-retry n -For -.B \-\-proto tcp-client, -take +Wait .B n -as the -number of seconds to wait -between connection retries (default=5). +seconds between connection attempts (default=5). .\"********************************************************* .TP .B \-\-connect-timeout n @@ -474,12 +470,15 @@ seconds (default=10). .\"********************************************************* .TP .B \-\-connect-retry-max n -For -.B \-\-proto tcp-client, -take .B n -as the -number of retries of connection attempt (default=infinite). +specifies the number of times all +.B \-\-remote +respectively +.B +statements are tried. Specifiying +.B n +as one would try each entry exactly once. A sucessful connection +resets the counter. (default=umlimited). .\"********************************************************* .TP .B \-\-show-proxy-settings @@ -651,18 +650,18 @@ peer on its new IP address. .\"********************************************************* .TP .B \-\-port port -TCP/UDP port number for both local and remote. The current +TCP/UDP port number or port name for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN and has been used since version 2.0-beta17. Previous versions used port 5000 as the default. .\"********************************************************* .TP .B \-\-lport port -TCP/UDP port number for bind. +TCP/UDP port number or name for bind. .\"********************************************************* .TP .B \-\-rport port -TCP/UDP port number for remote. +TCP/UDP port number or name for remote. .\"********************************************************* .TP .B \-\-bind @@ -1886,7 +1885,7 @@ is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server. .\"********************************************************* .TP -.B \-\-script-security level [method] +.B \-\-script-security level This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower .B level @@ -1905,24 +1904,40 @@ Allow calling of built-in executables and user-defined scripts. .B 3 \-\- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). -The +OpenVPN releases before v2.3 also supported a .B method -parameter indicates how OpenVPN should call external commands and scripts. -Settings for -.B method: +flag which indicated how OpenVPN should call external commands and scripts. This +could be either +.B execve +or +.B system. +As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve() +approach has been used without any issues. + +To run scripts in Windows in earlier OpenVPN +versions you needed to either add a full path to the script interpreter which can parse the +script or use the +.B system +flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have +full path to the script interpreter when running non-executables files. +This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For +example, if you have a Visual Basic script, you must use this syntax now: -.B execve \-\- -(default) Use execve() function on Unix family OSes and CreateProcess() on Windows. -.br -.B system \-\- -Use system() function (deprecated and less safe since the external program command -line is subject to shell expansion). +.nf +.ft 3 +.in +4 +\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my-up-script.vbs' +.in -4 +.ft +.fi -The -.B \-\-script-security -option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility -with previous OpenVPN versions, use: -.B \-\-script-security 3 system +Please note the single quote marks and the escaping of the backslashes (\\) and +the space character. + +The reason the support for the +.B system +flag was removed is due to the security implications with shell expansions +when executing scripts via the system() call. .\"********************************************************* .TP .B \-\-disable-occ @@ -2464,6 +2479,11 @@ Allow management interface to override .B \-\-remote directives (client-only). .\"********************************************************* +.B \-\-management-external-key +Allows usage for external private key file instead of +.B \-\-key +option (client-only). +.\"********************************************************* .TP .B \-\-management-forget-disconnect Make OpenVPN forget passwords when management session @@ -5675,7 +5695,7 @@ Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B local_port -The local port number, specified by +The local port number or name, specified by .B \-\-port or .B \-\-lport. diff --git a/openvpn/src/openvpn/buffer.c b/openvpn/src/openvpn/buffer.c index 5eee3ee4..56d14b1a 100644 --- a/openvpn/src/openvpn/buffer.c +++ b/openvpn/src/openvpn/buffer.c @@ -782,6 +782,16 @@ char_class (const unsigned char c, const unsigned int flags) return true; if ((flags & CC_EQUAL) && c == '=') return true; + if ((flags & CC_LESS_THAN) && c == '<') + return true; + if ((flags & CC_GREATER_THAN) && c == '>') + return true; + if ((flags & CC_PIPE) && c == '|') + return true; + if ((flags & CC_QUESTION_MARK) && c == '?') + return true; + if ((flags & CC_ASTERISK) && c == '*') + return true; return false; } diff --git a/openvpn/src/openvpn/buffer.h b/openvpn/src/openvpn/buffer.h index 9bc33dba..5e11de05 100644 --- a/openvpn/src/openvpn/buffer.h +++ b/openvpn/src/openvpn/buffer.h @@ -736,6 +736,11 @@ const char *np (const char *str); #define CC_REVERSE_QUOTE (1<<23) #define CC_AT (1<<24) #define CC_EQUAL (1<<25) +#define CC_LESS_THAN (1<<26) +#define CC_GREATER_THAN (1<<27) +#define CC_PIPE (1<<28) +#define CC_QUESTION_MARK (1<<29) +#define CC_ASTERISK (1<<30) /* macro classes */ #define CC_NAME (CC_ALNUM|CC_UNDERBAR) diff --git a/openvpn/src/openvpn/error.c b/openvpn/src/openvpn/error.c index 6848425e..ebe9a52d 100644 --- a/openvpn/src/openvpn/error.c +++ b/openvpn/src/openvpn/error.c @@ -259,7 +259,7 @@ void x_msg_va (const unsigned int flags, const char *format, va_list arglist) if (flags & M_SSL) { int nerrs = 0; - int err; + size_t err; while ((err = ERR_get_error ())) { openvpn_snprintf (m2, ERR_BUF_SIZE, "%s: %s", @@ -602,7 +602,7 @@ x_check_status (int status, const char *extended_msg = NULL; msg (x_cs_verbose_level, "%s %s returned %d", - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", description, status); @@ -630,14 +630,14 @@ x_check_status (int status, if (extended_msg) msg (x_cs_info_level, "%s %s [%s]: %s (code=%d)", description, - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", extended_msg, strerror_ts (my_errno, &gc), my_errno); else msg (x_cs_info_level, "%s %s: %s (code=%d)", description, - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", strerror_ts (my_errno, &gc), my_errno); diff --git a/openvpn/src/openvpn/forward-inline.h b/openvpn/src/openvpn/forward-inline.h index 5853ce29..7eb480dd 100644 --- a/openvpn/src/openvpn/forward-inline.h +++ b/openvpn/src/openvpn/forward-inline.h @@ -228,6 +228,7 @@ context_reschedule_sec (struct context *c, int sec) static inline struct link_socket_info * get_link_socket_info (struct context *c) { + if (c->c2.link_socket_info) return c->c2.link_socket_info; else diff --git a/openvpn/src/openvpn/forward.c b/openvpn/src/openvpn/forward.c index 57c78462..9e9c406c 100644 --- a/openvpn/src/openvpn/forward.c +++ b/openvpn/src/openvpn/forward.c @@ -620,7 +620,7 @@ check_timeout_random_component (struct context *c) static inline void socks_postprocess_incoming_link (struct context *c) { - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) + if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) socks_process_incoming_udp (&c->c2.buf, &c->c2.from); } @@ -629,7 +629,7 @@ socks_preprocess_outgoing_link (struct context *c, struct link_socket_actual **to_addr, int *size_delta) { - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) + if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) { *size_delta += socks_process_outgoing_udp (&c->c2.to_link, c->c2.to_link_addr); *to_addr = &c->c2.link_socket->socks_relay; @@ -778,7 +778,7 @@ process_incoming_link (struct context *c) fprintf (stderr, "R"); #endif msg (D_LINK_RW, "%s READ [%d] from %s: %s", - proto2ascii (lsi->proto, true), + proto2ascii (lsi->proto, lsi->af, true), BLEN (&c->c2.buf), print_link_socket_actual (&c->c2.from, &gc), PROTO_DUMP (&c->c2.buf, &gc)); @@ -985,9 +985,9 @@ process_incoming_tun (struct context *c) { /* * The --passtos and --mssfix options require - * us to examine the IPv4 header. + * us to examine the IP header (IPv4 or IPv6). */ - process_ipv4_header (c, PIPV4_PASSTOS|PIPV4_MSSFIX|PIPV4_CLIENT_NAT, &c->c2.buf); + process_ip_header (c, PIPV4_PASSTOS|PIP_MSSFIX|PIPV4_CLIENT_NAT, &c->c2.buf); #ifdef PACKET_TRUNCATION_CHECK /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ @@ -1009,10 +1009,10 @@ process_incoming_tun (struct context *c) } void -process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) +process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) { if (!c->options.ce.mssfix) - flags &= ~PIPV4_MSSFIX; + flags &= ~PIP_MSSFIX; #if PASSTOS_CAPABILITY if (!c->options.passtos) flags &= ~PIPV4_PASSTOS; @@ -1027,9 +1027,9 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) * us to examine the IPv4 header. */ #if PASSTOS_CAPABILITY - if (flags & (PIPV4_PASSTOS|PIPV4_MSSFIX)) + if (flags & (PIPV4_PASSTOS|PIP_MSSFIX)) #else - if (flags & PIPV4_MSSFIX) + if (flags & PIP_MSSFIX) #endif { struct buffer ipbuf = *buf; @@ -1042,8 +1042,8 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) #endif /* possibly alter the TCP MSS */ - if (flags & PIPV4_MSSFIX) - mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); + if (flags & PIP_MSSFIX) + mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); #ifdef ENABLE_CLIENT_NAT /* possibly do NAT on packet */ @@ -1061,6 +1061,12 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) route_list_add_vpn_gateway (c->c1.route_list, c->c2.es, dhcp_router); } } + else if (is_ipv6 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) + { + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + mss_fixup_ipv6 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); + } } } } @@ -1116,7 +1122,7 @@ process_outgoing_link (struct context *c) fprintf (stderr, "W"); #endif msg (D_LINK_RW, "%s WRITE [%d] to %s: %s", - proto2ascii (c->c2.link_socket->info.proto, true), + proto2ascii (c->c2.link_socket->info.proto, c->c2.link_socket->info.proto, true), BLEN (&c->c2.to_link), print_link_socket_actual (c->c2.to_link_addr, &gc), PROTO_DUMP (&c->c2.to_link, &gc)); @@ -1217,9 +1223,9 @@ process_outgoing_tun (struct context *c) /* * The --mssfix option requires - * us to examine the IPv4 header. + * us to examine the IP header (IPv4 or IPv6). */ - process_ipv4_header (c, PIPV4_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIPV4_OUTGOING, &c->c2.to_tun); + process_ip_header (c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIPV4_OUTGOING, &c->c2.to_tun); if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN (&c->c2.frame)) { diff --git a/openvpn/src/openvpn/forward.h b/openvpn/src/openvpn/forward.h index 0f829bde..1830a00b 100644 --- a/openvpn/src/openvpn/forward.h +++ b/openvpn/src/openvpn/forward.h @@ -228,12 +228,12 @@ void process_outgoing_tun (struct context *c); bool send_control_channel_string (struct context *c, const char *str, int msglevel); #define PIPV4_PASSTOS (1<<0) -#define PIPV4_MSSFIX (1<<1) +#define PIP_MSSFIX (1<<1) /* v4 and v6 */ #define PIPV4_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) #define PIPV4_CLIENT_NAT (1<<4) -void process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf); +void process_ip_header (struct context *c, unsigned int flags, struct buffer *buf); #if P2MP void schedule_exit (struct context *c, const int n_seconds, const int signal); diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index 1f06eaa5..fe70dd57 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -125,28 +125,19 @@ management_callback_proxy_cmd (void *arg, const char **p) ret = true; else if (p[2] && p[3]) { - const int port = atoi(p[3]); - if (!legal_ipv4_port (port)) - { - msg (M_WARN, "Bad proxy port number: %s", p[3]); - return false; - } - if (streq (p[1], "HTTP")) { #ifndef ENABLE_HTTP_PROXY msg (M_WARN, "HTTP proxy support is not available"); #else struct http_proxy_options *ho; - if (ce->proto != PROTO_TCPv4 && ce->proto != PROTO_TCPv4_CLIENT && - ce->proto != PROTO_TCPv6 && ce->proto != PROTO_TCPv6_CLIENT) - { + if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) { msg (M_WARN, "HTTP proxy support only works for TCP based connections"); return false; } ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); ho->server = string_alloc (p[2], gc); - ho->port = port; + ho->port = p[3]; ho->retry = true; ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); ret = true; @@ -158,7 +149,7 @@ management_callback_proxy_cmd (void *arg, const char **p) msg (M_WARN, "SOCKS proxy support is not available"); #else ce->socks_proxy_server = string_alloc (p[2], gc); - ce->socks_proxy_port = port; + ce->socks_proxy_port = p[3]; ret = true; #endif } @@ -225,8 +216,7 @@ management_callback_remote_cmd (void *arg, const char **p) } else if (!strcmp(p[1], "MOD") && p[2] && p[3]) { - const int port = atoi(p[3]); - if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port)) + if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) { struct remote_host_store *rhs = c->options.rh_store; if (!rhs) @@ -235,8 +225,10 @@ management_callback_remote_cmd (void *arg, const char **p) c->options.rh_store = rhs; } strncpynt(rhs->host, p[2], RH_HOST_LEN); + strncpynt(rhs->port, p[3], RH_PORT_LEN); + ce->remote = rhs->host; - ce->remote_port = port; + ce->remote_port = rhs->port; flags = CE_MAN_QUERY_REMOTE_MOD; ret = true; } @@ -251,7 +243,7 @@ management_callback_remote_cmd (void *arg, const char **p) } static bool -ce_management_query_remote (struct context *c, const char *remote_ip_hint) +ce_management_query_remote (struct context *c) { struct gc_arena gc = gc_new (); volatile struct connection_entry *ce = &c->options.ce; @@ -260,7 +252,7 @@ ce_management_query_remote (struct context *c, const char *remote_ip_hint) if (management) { struct buffer out = alloc_buf_gc (256, &gc); - buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false)); + buf_printf (&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR (&out)); ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<flags |= (CE_MAN_QUERY_REMOTE_QUERY<flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); - if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint) - ce->remote = remote_ip_hint; ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); } gc_free (&gc); @@ -292,25 +282,34 @@ static void init_connection_list (struct context *c) { struct connection_list *l = c->options.connection_list; - if (l) + l->current = -1; + if (c->options.remote_random) { - l->current = -1; - if (c->options.remote_random) - { - int i; - for (i = 0; i < l->len; ++i) - { - const int j = get_random () % l->len; - if (i != j) - { - struct connection_entry *tmp; - tmp = l->array[i]; - l->array[i] = l->array[j]; - l->array[j] = tmp; - } - } - } + int i; + for (i = 0; i < l->len; ++i) + { + const int j = get_random () % l->len; + if (i != j) + { + struct connection_entry *tmp; + tmp = l->array[i]; + l->array[i] = l->array[j]; + l->array[j] = tmp; + } + } + } +} + +/* + * Clear the remote address list + */ +static void clear_remote_addrlist (struct link_socket_addr *lsa) +{ + if (lsa->remote_list) { + freeaddrinfo(lsa->remote_list); } + lsa->remote_list = NULL; + lsa->current_remote = NULL; } /* @@ -320,67 +319,84 @@ static void next_connection_entry (struct context *c) { struct connection_list *l = c->options.connection_list; - if (l) - { - bool ce_defined; - struct connection_entry *ce; - int n_cycles = 0; - - do { - const char *remote_ip_hint = NULL; - bool newcycle = false; - - ce_defined = true; - if (l->no_advance && l->current >= 0) - { - l->no_advance = false; - } - else - { - if (++l->current >= l->len) - { - l->current = 0; - ++l->n_cycles; - if (++n_cycles >= 2) - msg (M_FATAL, "No usable connection profiles are present"); - } - - if (l->current == 0) - newcycle = true; - } - - ce = l->array[l->current]; + bool ce_defined; + struct connection_entry *ce; + int n_cycles = 0; + + do { + ce_defined = true; + if (c->options.no_advance && l->current >= 0) + { + c->options.no_advance = false; + } + else + { + /* Check if there is another resolved address to try for + * the current connection */ + if (c->c1.link_socket_addr.current_remote && + c->c1.link_socket_addr.current_remote->ai_next) + { + c->c1.link_socket_addr.current_remote = + c->c1.link_socket_addr.current_remote->ai_next; + } + else + { + c->options.unsuccessful_attempts++; + if (++l->current >= l->len) + { + /* FIXME (schwabe) fix the persist-remote-ip option for real, + * this is broken probably ever since connection lists and multiple + * remote existed + */ + /* + * Increase the number of connection attempts + * If this is connect-retry-max * size(l) + * OpenVPN will quit + */ + + if (!c->options.persist_remote_ip) + clear_remote_addrlist (&c->c1.link_socket_addr); + + l->current = 0; + ++l->n_cycles; + if (++n_cycles >= 2) + msg (M_FATAL, "No usable connection profiles are present"); + } + } + } - if (c->options.remote_ip_hint && !l->n_cycles) - remote_ip_hint = c->options.remote_ip_hint; + ce = l->array[l->current]; - if (ce->flags & CE_DISABLED) - ce_defined = false; + if (ce->flags & CE_DISABLED) + ce_defined = false; - c->options.ce = *ce; + c->options.ce = *ce; #ifdef ENABLE_MANAGEMENT - if (ce_defined && management && management_query_remote_enabled(management)) - { - /* allow management interface to override connection entry details */ - ce_defined = ce_management_query_remote(c, remote_ip_hint); - if (IS_SIG (c)) - break; - } - else + if (ce_defined && management && management_query_remote_enabled(management)) + { + /* allow management interface to override connection entry details */ + ce_defined = ce_management_query_remote(c); + if (IS_SIG (c)) + break; + } + else #endif - if (remote_ip_hint) - c->options.ce.remote = remote_ip_hint; #ifdef ENABLE_MANAGEMENT - if (ce_defined && management && management_query_proxy_enabled (management)) - { - ce_defined = ce_management_query_proxy (c); - if (IS_SIG (c)) - break; - } + if (ce_defined && management && management_query_proxy_enabled (management)) + { + ce_defined = ce_management_query_proxy (c); + if (IS_SIG (c)) + break; + } #endif - } while (!ce_defined); - } + } while (!ce_defined); + + /* Check if this connection attempt would bring us over the limit */ + if (c->options.connect_retry_max > 0 && + c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) + msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", + c->options.connect_retry_max); update_options_ce_post (&c->options); } @@ -415,12 +431,6 @@ init_query_passwords (struct context *c) #ifdef GENERAL_PROXY_SUPPORT -static int -proxy_scope (struct context *c) -{ - return connection_list_defined (&c->options) ? 2 : 1; -} - static void uninit_proxy_dowork (struct context *c) { @@ -482,17 +492,15 @@ init_proxy_dowork (struct context *c) } static void -init_proxy (struct context *c, const int scope) +init_proxy (struct context *c) { - if (scope == proxy_scope (c)) - init_proxy_dowork (c); + init_proxy_dowork (c); } static void uninit_proxy (struct context *c) { - if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2) - uninit_proxy_dowork (c); + uninit_proxy_dowork (c); } #else @@ -544,8 +552,6 @@ context_init_1 (struct context *c) } #endif - /* initialize HTTP or SOCKS proxy object at scope level 1 */ - init_proxy (c, 1); } void @@ -1240,6 +1246,9 @@ void initialization_sequence_completed (struct context *c, const unsigned int flags) { static const char message[] = "Initialization Sequence Completed"; + + /* Reset the unsuccessful connection counter on complete initialisation */ + c->options.unsuccessful_attempts=0; /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot (c, true); @@ -1258,9 +1267,9 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) else msg (M_INFO, "%s", message); - /* Flag connection_list that we initialized */ - if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options)) - connection_list_set_no_advance (&c->options); + /* Flag that we initialized */ + if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) + c->options.no_advance=true; #ifdef WIN32 fork_register_dns_action (c->c1.tuntap); @@ -1374,8 +1383,8 @@ do_init_tun (struct context *c) c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits, c->options.ifconfig_ipv6_remote, - addr_host (&c->c1.link_socket_addr.local), - addr_host (&c->c1.link_socket_addr.remote), + c->c1.link_socket_addr.bind_local, + c->c1.link_socket_addr.remote_list, !c->options.ifconfig_nowarn, c->c2.es); @@ -1853,17 +1862,11 @@ socket_restart_pause (struct context *c) switch (c->options.ce.proto) { - case PROTO_UDPv4: - case PROTO_UDPv6: - if (proxy) - sec = c->options.ce.connect_retry_seconds; - break; - case PROTO_TCPv4_SERVER: - case PROTO_TCPv6_SERVER: + case PROTO_TCP_SERVER: sec = 1; break; - case PROTO_TCPv4_CLIENT: - case PROTO_TCPv6_CLIENT: + case PROTO_UDP: + case PROTO_TCP_CLIENT: sec = c->options.ce.connect_retry_seconds; break; } @@ -2219,7 +2222,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) /* should we not xmit any packets until we get an initial response from client? */ - if (to.server && options->ce.proto == PROTO_TCPv4_SERVER) + if (to.server && options->ce.proto == PROTO_TCP_SERVER) to.xmit_hold = true; #ifdef ENABLE_OCC @@ -2504,8 +2507,6 @@ do_option_warnings (struct context *c) msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); #endif - if (script_method == SM_SYSTEM) - msg (M_WARN, "NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion"); } static void @@ -2628,12 +2629,12 @@ do_init_socket_1 (struct context *c, const int mode) #endif link_socket_init_phase1 (c->c2.link_socket, - connection_list_defined (&c->options), c->options.ce.local, c->options.ce.local_port, c->options.ce.remote, c->options.ce.remote_port, c->options.ce.proto, + c->options.ce.af, mode, c->c2.accept_from, #ifdef ENABLE_HTTP_PROXY @@ -2652,9 +2653,7 @@ do_init_socket_1 (struct context *c, const int mode) c->options.ipchange, c->plugins, c->options.resolve_retry_seconds, - c->options.ce.connect_retry_seconds, c->options.ce.connect_timeout, - c->options.ce.connect_retry_max, c->options.ce.mtu_discover_type, c->options.rcvbuf, c->options.sndbuf, @@ -2669,7 +2668,7 @@ static void do_init_socket_2 (struct context *c) { link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, - &c->sig->signal_received); + c->sig); } /* @@ -2841,14 +2840,30 @@ do_close_link_socket (struct context *c) c->c2.link_socket = NULL; } - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) - { - CLEAR (c->c1.link_socket_addr.remote); + + /* Preserve the resolved list of remote if the user request to or if we want + * reconnect to the same host again or there are still addresses that need + * to be tried */ + if (!(c->sig->signal_received == SIGUSR1 && + ( (c->options.persist_remote_ip) + || + ( c->sig->source != SIG_SOURCE_HARD && + ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) + || c->options.no_advance)) + ))) + { + clear_remote_addrlist(&c->c1.link_socket_addr); + } + + /* Clear the remote actual address when persist_remote_ip is not in use */ + if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) CLEAR (c->c1.link_socket_addr.actual); - } - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) - CLEAR (c->c1.link_socket_addr.local); + if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) { + if (c->c1.link_socket_addr.bind_local) + freeaddrinfo(c->c1.link_socket_addr.bind_local); + c->c1.link_socket_addr.bind_local=NULL; + } } /* @@ -3271,7 +3286,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int /* signals caught here will abort */ c->sig->signal_received = 0; c->sig->signal_text = NULL; - c->sig->hard = false; + c->sig->source = SIG_SOURCE_SOFT; if (c->mode == CM_P2P) init_management_callback_p2p (c); @@ -3290,8 +3305,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int /* link_socket_mode allows CM_CHILD_TCP instances to inherit acceptable fds from a top-level parent */ - if (c->options.ce.proto == PROTO_TCPv4_SERVER - || c->options.ce.proto == PROTO_TCPv6_SERVER) + if (c->options.ce.proto == PROTO_TCP_SERVER) { if (c->mode == CM_TOP) link_socket_mode = LS_MODE_TCP_LISTEN; @@ -3358,7 +3372,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int do_event_set_init (c, false); /* initialize HTTP or SOCKS proxy object at scope level 2 */ - init_proxy (c, 2); + init_proxy (c); /* allocate our socket object */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -3689,7 +3703,7 @@ close_context (struct context *c, int sig, unsigned int flags) if (c->sig->signal_received == SIGUSR1) { if ((flags & CC_USR1_TO_HUP) - || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP))) + || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) c->sig->signal_received = SIGHUP; } diff --git a/openvpn/src/openvpn/manage.c b/openvpn/src/openvpn/manage.c index 45e0bd43..c4e834b2 100644 --- a/openvpn/src/openvpn/manage.c +++ b/openvpn/src/openvpn/manage.c @@ -287,13 +287,13 @@ virtual_output_callback_func (void *arg, const unsigned int flags, const char *s # define AF_DID_PUSH (1<<0) # define AF_DID_RESET (1<<1) - unsigned int action_flags = 0; if (!recursive_level) /* don't allow recursion */ { struct gc_arena gc = gc_new (); struct log_entry e; const char *out = NULL; + unsigned int action_flags = 0; ++recursive_level; @@ -334,14 +334,15 @@ virtual_output_callback_func (void *arg, const unsigned int flags, const char *s } } - --recursive_level; gc_free (&gc); - } - if (action_flags & AF_DID_PUSH) - man_output_list_push_finalize (man); - if (action_flags & AF_DID_RESET) - man_reset_client_socket (man, true); + if (action_flags & AF_DID_PUSH) + man_output_list_push_finalize (man); + if (action_flags & AF_DID_RESET) + man_reset_client_socket (man, true); + + --recursive_level; + } } /* @@ -1460,7 +1461,7 @@ man_new_connection_post (struct management *man, const char *description) #endif msg (D_MANAGEMENT, "MANAGEMENT: %s %s", description, - print_sockaddr (&man->settings.local, &gc)); + print_sockaddr (man->settings.local->ai_addr, &gc)); buffer_list_reset (man->connection.out); @@ -1568,7 +1569,8 @@ man_listen (struct management *man) #endif { man->connection.sd_top = create_socket_tcp (AF_INET); - socket_bind (man->connection.sd_top, &man->settings.local, "MANAGEMENT"); + socket_bind (man->connection.sd_top, man->settings.local, + AF_INET, "MANAGEMENT"); } /* @@ -1592,7 +1594,7 @@ man_listen (struct management *man) else #endif msg (D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s", - print_sockaddr (&man->settings.local, &gc)); + print_sockaddr (man->settings.local->ai_addr, &gc)); } #ifdef WIN32 @@ -1635,7 +1637,7 @@ man_connect (struct management *man) { man->connection.sd_cli = create_socket_tcp (AF_INET); status = openvpn_connect (man->connection.sd_cli, - &man->settings.local, + man->settings.local->ai_addr, 5, &signal_received); } @@ -1660,7 +1662,7 @@ man_connect (struct management *man) #endif msg (D_LINK_ERRORS, "MANAGEMENT: connect to %s failed: %s", - print_sockaddr (&man->settings.local, &gc), + print_sockaddr (man->settings.local->ai_addr, &gc), strerror_ts (status, &gc)); throw_signal_soft (SIGTERM, "management-connect-failed"); goto done; @@ -2044,7 +2046,7 @@ man_persist_close (struct man_persist *mp) static void man_settings_init (struct man_settings *ms, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, @@ -2097,12 +2099,6 @@ man_settings_init (struct man_settings *ms, else #endif { - /* - * Initialize socket address - */ - ms->local.addr.in4.sin_family = AF_INET; - ms->local.addr.in4.sin_addr.s_addr = 0; - ms->local.addr.in4.sin_port = htons (port); /* * Run management over tunnel, or @@ -2114,8 +2110,9 @@ man_settings_init (struct man_settings *ms, } else { - ms->local.addr.in4.sin_addr.s_addr = getaddr - (GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL, addr, 0, NULL, NULL); + int status = openvpn_getaddrinfo(GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL, + addr, port, 0, NULL, AF_INET, &ms->local); + ASSERT(status==0); } } @@ -2234,7 +2231,7 @@ management_init (void) bool management_open (struct management *man, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, @@ -2600,7 +2597,13 @@ management_post_tunnel_open (struct management *man, const in_addr_t tun_local_i && man->connection.state == MS_INITIAL) { /* listen on our local TUN/TAP IP address */ - man->settings.local.addr.in4.sin_addr.s_addr = htonl (tun_local_ip); + struct in_addr ia; + int ret; + + ia.s_addr = htonl(tun_local_ip); + ret = openvpn_getaddrinfo(0, inet_ntoa(ia), NULL, 0, NULL, + AF_INET, &man->settings.local); + ASSERT (ret==0); man_connection_init (man); } diff --git a/openvpn/src/openvpn/manage.h b/openvpn/src/openvpn/manage.h index eec24a2e..d2790dd4 100644 --- a/openvpn/src/openvpn/manage.h +++ b/openvpn/src/openvpn/manage.h @@ -212,7 +212,7 @@ struct man_persist { struct man_settings { bool defined; unsigned int flags; /* MF_x flags */ - struct openvpn_sockaddr local; + struct addrinfo* local; #if UNIX_SOCK_SUPPORT struct sockaddr_un local_unix; #endif @@ -341,7 +341,7 @@ struct management *management_init (void); bool management_open (struct management *man, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c index d2882d81..fcc85526 100644 --- a/openvpn/src/openvpn/misc.c +++ b/openvpn/src/openvpn/misc.c @@ -53,9 +53,6 @@ const char *iproute_path = IPROUTE_PATH; /* GLOBAL */ /* contains an SSEC_x value defined in misc.h */ int script_security = SSEC_BUILT_IN; /* GLOBAL */ -/* contains SM_x value defined in misc.h */ -int script_method = SM_EXECVE; /* GLOBAL */ - /* * Pass tunnel endpoint and MTU parms to a user-supplied script. * Used to execute the up/down script/plugins. @@ -303,36 +300,25 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i #if defined(ENABLE_FEATURE_EXECVE) if (openvpn_execve_allowed (flags)) { - if (script_method == SM_EXECVE) - { - const char *cmd = a->argv[0]; - char *const *argv = a->argv; - char *const *envp = (char *const *)make_env_array (es, true, &gc); - pid_t pid; - - pid = fork (); - if (pid == (pid_t)0) /* child side */ - { - execve (cmd, argv, envp); - exit (127); - } - else if (pid < (pid_t)0) /* fork failed */ - msg (M_ERR, "openvpn_execve: unable to fork"); - else /* parent side */ - { - if (waitpid (pid, &ret, 0) != pid) - ret = -1; - } - } - else if (script_method == SM_SYSTEM) - { - ret = openvpn_system (argv_system_str (a), es, flags); - } - else - { - ASSERT (0); - } - } + const char *cmd = a->argv[0]; + char *const *argv = a->argv; + char *const *envp = (char *const *)make_env_array (es, true, &gc); + pid_t pid; + + pid = fork (); + if (pid == (pid_t)0) /* child side */ + { + execve (cmd, argv, envp); + exit (127); + } + else if (pid < (pid_t)0) /* fork failed */ + msg (M_ERR, "openvpn_execve: unable to fork"); + else /* parent side */ + { + if (waitpid (pid, &ret, 0) != pid) + ret = -1; + } + } else if (!warn_shown && (script_security < SSEC_SCRIPTS)) { msg (M_WARN, SCRIPT_SECURITY_WARNING); @@ -352,52 +338,6 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i } #endif -/* - * Wrapper around the system() call. - */ -int -openvpn_system (const char *command, const struct env_set *es, unsigned int flags) -{ -#ifdef HAVE_SYSTEM - int ret; - - perf_push (PERF_SCRIPT); - - /* - * add env_set to environment. - */ - if (flags & S_SCRIPT) - env_set_add_to_environment (es); - - - /* debugging */ - dmsg (D_SCRIPT, "SYSTEM[%u] '%s'", flags, command); - if (flags & S_SCRIPT) - env_set_print (D_SCRIPT, es); - - /* - * execute the command - */ - ret = platform_system(command); - - /* debugging */ - dmsg (D_SCRIPT, "SYSTEM return=%u", ret); - - /* - * remove env_set from environment - */ - if (flags & S_SCRIPT) - env_set_remove_from_environment (es); - - perf_pop (); - return ret; - -#else - msg (M_FATAL, "Sorry but I can't execute the shell command '%s' because this operating system doesn't appear to support the system() call", command); - return -1; /* NOTREACHED */ -#endif -} - /* * Run execve() inside a fork(), duping stdout. Designed to replicate the semantics of popen() but * in a safer way that doesn't require the invocation of a shell or the risks @@ -1056,7 +996,13 @@ hostname_randomize(const char *hostname, struct gc_arena *gc) const char * gen_path (const char *directory, const char *filename, struct gc_arena *gc) { - const char *safe_filename = string_mod_const (filename, CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT, 0, '_', gc); +#if WIN32 + const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON| + CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK; +#else + const int CC_PATH_RESERVED = CC_SLASH; +#endif + const char *safe_filename = string_mod_const (filename, CC_PRINT, CC_PATH_RESERVED, '_', gc); if (safe_filename && strcmp (safe_filename, ".") diff --git a/openvpn/src/openvpn/misc.h b/openvpn/src/openvpn/misc.h index b6da3f4b..183898e3 100644 --- a/openvpn/src/openvpn/misc.h +++ b/openvpn/src/openvpn/misc.h @@ -96,7 +96,6 @@ int openvpn_popen (const struct argv *a, const struct env_set *es); int openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags); bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message); bool openvpn_execve_allowed (const unsigned int flags); -int openvpn_system (const char *command, const struct env_set *es, unsigned int flags); static inline bool openvpn_run_script (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook) @@ -322,10 +321,6 @@ extern const char *iproute_path; #define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */ extern int script_security; /* GLOBAL */ -#define SM_EXECVE 0 /* call external programs with execve() or CreateProcess() */ -#define SM_SYSTEM 1 /* call external programs with system() */ -extern int script_method; /* GLOBAL */ - /* return the next largest power of 2 */ size_t adjust_power_of_2 (size_t u); diff --git a/openvpn/src/openvpn/mss.c b/openvpn/src/openvpn/mss.c index 8981badc..64fd722f 100644 --- a/openvpn/src/openvpn/mss.c +++ b/openvpn/src/openvpn/mss.c @@ -38,8 +38,13 @@ * problems which arise from protocol * encapsulation. */ + +/* + * IPv4 packet: find TCP header, check flags for "SYN" + * if yes, hand to mss_fixup_dowork() + */ void -mss_fixup (struct buffer *buf, int maxmss) +mss_fixup_ipv4 (struct buffer *buf, int maxmss) { const struct openvpn_iphdr *pip; int hlen; @@ -69,6 +74,56 @@ mss_fixup (struct buffer *buf, int maxmss) } } +/* + * IPv6 packet: find TCP header, check flags for "SYN" + * if yes, hand to mss_fixup_dowork() + * (IPv6 header structure is sufficiently different from IPv4...) + */ +void +mss_fixup_ipv6 (struct buffer *buf, int maxmss) +{ + const struct openvpn_ipv6hdr *pip6; + struct buffer newbuf; + + if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr)) + return; + + verify_align_4 (buf); + pip6 = (struct openvpn_ipv6hdr *) BPTR (buf); + + /* do we have the full IPv6 packet? + * "payload_len" does not include IPv6 header (+40 bytes) + */ + if (BLEN (buf) != (int) ntohs(pip6->payload_len)+40 ) + return; + + /* follow header chain until we reach final header, then check for TCP + * + * An IPv6 packet could, theoretically, have a chain of multiple headers + * before the final header (TCP, UDP, ...), so we'd need to walk that + * chain (see RFC 2460 and RFC 6564 for details). + * + * In practice, "most typically used" extention headers (AH, routing, + * fragment, mobility) are very unlikely to be seen inside an OpenVPN + * tun, so for now, we only handle the case of "single next header = TCP" + */ + if ( pip6->nexthdr != OPENVPN_IPPROTO_TCP ) + return; + + newbuf = *buf; + if ( buf_advance( &newbuf, 40 ) ) + { + struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR (&newbuf); + if (tc->flags & OPENVPN_TCPH_SYN_MASK) + mss_fixup_dowork (&newbuf, (uint16_t) maxmss-20); + } +} + +/* + * change TCP MSS option in SYN/SYN-ACK packets, if present + * this is generic for IPv4 and IPv6, as the TCP header is the same + */ + void mss_fixup_dowork (struct buffer *buf, uint16_t maxmss) { diff --git a/openvpn/src/openvpn/mss.h b/openvpn/src/openvpn/mss.h index 0b290c36..0d329432 100644 --- a/openvpn/src/openvpn/mss.h +++ b/openvpn/src/openvpn/mss.h @@ -28,7 +28,8 @@ #include "proto.h" #include "error.h" -void mss_fixup (struct buffer *buf, int maxmss); +void mss_fixup_ipv4 (struct buffer *buf, int maxmss); +void mss_fixup_ipv6 (struct buffer *buf, int maxmss); void mss_fixup_dowork (struct buffer *buf, uint16_t maxmss); #endif diff --git a/openvpn/src/openvpn/multi.c b/openvpn/src/openvpn/multi.c index 9876b80a..ab3f10cb 100644 --- a/openvpn/src/openvpn/multi.c +++ b/openvpn/src/openvpn/multi.c @@ -2411,13 +2411,13 @@ multi_get_queue (struct mbuf_set *ms) if (mbuf_extract_item (ms, &item)) /* cleartext IP packet */ { - unsigned int pipv4_flags = PIPV4_PASSTOS; + unsigned int pip_flags = PIPV4_PASSTOS; set_prefix (item.instance); item.instance->context.c2.buf = item.buffer->buf; if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */ - pipv4_flags |= PIPV4_MSSFIX; - process_ipv4_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf); + pip_flags |= PIP_MSSFIX; + process_ip_header (&item.instance->context, pip_flags, &item.instance->context.c2.buf); encrypt_sign (&item.instance->context, true); mbuf_free_buf (item.buffer); diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 47aaffcb..dabc7577 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -167,8 +167,8 @@ static const char usage_message[] = "--ipchange cmd : Run command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n" - "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n" - "--rport port : TCP/UDP port # for remote (default=%d).\n" + "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n" + "--rport port : TCP/UDP port # for remote (default=%s).\n" "--bind : Bind to local address and port. (This is the default unless\n" " --proto tcp-client" #ifdef ENABLE_HTTP_PROXY @@ -248,7 +248,7 @@ static const char usage_message[] = "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" - "--script-security level mode : mode='execve' (default) or 'system', level=\n" + "--script-security level: Where level can be:\n" " 0 -- strictly no calling of external programs\n" " 1 -- (default) only call built-ins such as ifconfig\n" " 2 -- allow calling of built-ins and scripts\n" @@ -767,10 +767,11 @@ init_options (struct options *o, const bool init_gc) } o->mode = MODE_POINT_TO_POINT; o->topology = TOP_NET30; - o->ce.proto = PROTO_UDPv4; + o->ce.proto = PROTO_UDP; + o->ce.af = AF_UNSPEC; o->ce.connect_retry_seconds = 5; o->ce.connect_timeout = 10; - o->ce.connect_retry_max = 0; + o->connect_retry_max = 0; o->ce.local_port = o->ce.remote_port = OPENVPN_PORT; o->verbosity = 1; o->status_file_update_freq = 60; @@ -897,24 +898,24 @@ setenv_connection_entry (struct env_set *es, const struct connection_entry *e, const int i) { - setenv_str_i (es, "proto", proto2ascii (e->proto, false), i); + setenv_str_i (es, "proto", proto2ascii (e->proto, e->af, false), i); setenv_str_i (es, "local", e->local, i); - setenv_int_i (es, "local_port", e->local_port, i); + setenv_str_i (es, "local_port", e->local_port, i); setenv_str_i (es, "remote", e->remote, i); - setenv_int_i (es, "remote_port", e->remote_port, i); + setenv_str_i (es, "remote_port", e->remote_port, i); #ifdef ENABLE_HTTP_PROXY if (e->http_proxy_options) { setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i); - setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i); + setenv_str_i (es, "http_proxy_port", e->http_proxy_options->port, i); } #endif #ifdef ENABLE_SOCKS if (e->socks_proxy_server) { setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i); - setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i); + setenv_str_i (es, "socks_proxy_port", e->socks_proxy_port, i); } #endif } @@ -1216,7 +1217,7 @@ show_p2mp_parms (const struct options *o) SHOW_BOOL (auth_user_pass_verify_script_via_file); #if PORT_SHARE SHOW_STR (port_share_host); - SHOW_INT (port_share_port); + SHOW_STR (port_share_port); #endif #endif /* P2MP_SERVER */ @@ -1287,7 +1288,7 @@ show_http_proxy_options (const struct http_proxy_options *o) { msg (D_SHOW_PARMS, "BEGIN http_proxy"); SHOW_STR (server); - SHOW_INT (port); + SHOW_STR (port); SHOW_STR (auth_method_string); SHOW_STR (auth_file); SHOW_BOOL (retry); @@ -1338,17 +1339,16 @@ cnol_check_alloc (struct options *options) static void show_connection_entry (const struct connection_entry *o) { - msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false)); + msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, o->af, false)); SHOW_STR (local); - SHOW_INT (local_port); + SHOW_STR (local_port); SHOW_STR (remote); - SHOW_INT (remote_port); + SHOW_STR (remote_port); SHOW_BOOL (remote_float); SHOW_BOOL (bind_defined); SHOW_BOOL (bind_local); SHOW_INT (connect_retry_seconds); SHOW_INT (connect_timeout); - SHOW_INT (connect_retry_max); #ifdef ENABLE_HTTP_PROXY if (o->http_proxy_options) @@ -1356,7 +1356,7 @@ show_connection_entry (const struct connection_entry *o) #endif #ifdef ENABLE_SOCKS SHOW_STR (socks_proxy_server); - SHOW_INT (socks_proxy_port); + SHOW_STR (socks_proxy_port); SHOW_BOOL (socks_proxy_retry); #endif SHOW_INT (tun_mtu); @@ -1425,6 +1425,7 @@ show_settings (const struct options *o) #endif #endif + SHOW_INT (connect_retry_max); show_connection_entries (o); SHOW_BOOL (remote_random); @@ -1536,7 +1537,7 @@ show_settings (const struct options *o) #ifdef ENABLE_MANAGEMENT SHOW_STR (management_addr); - SHOW_INT (management_port); + SHOW_STR (management_port); SHOW_STR (management_user_pass); SHOW_INT (management_log_history_cache); SHOW_INT (management_echo_buffer_size); @@ -1683,17 +1684,9 @@ parse_http_proxy_override (const char *server, if (server && port) { struct http_proxy_options *ho; - const int int_port = atoi(port); - - if (!legal_ipv4_port (int_port)) - { - msg (msglevel, "Bad http-proxy port number: %s", port); - return NULL; - } - ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc); ho->server = string_alloc(server, gc); - ho->port = int_port; + ho->port = port; ho->retry = true; ho->timeout = 5; if (flags && !strcmp(flags, "nct")) @@ -1712,32 +1705,31 @@ void options_postprocess_http_proxy_override (struct options *o) { const struct connection_list *l = o->connection_list; - if (l) + int i; + bool succeed = false; + for (i = 0; i < l->len; ++i) + { + struct connection_entry *ce = l->array[i]; + if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP) + { + ce->http_proxy_options = o->http_proxy_override; + succeed = true; + } + } + if (succeed) { - int i; - bool succeed = false; for (i = 0; i < l->len; ++i) - { - struct connection_entry *ce = l->array[i]; - if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4) - { - ce->http_proxy_options = o->http_proxy_override; - succeed = true; - } - } - if (succeed) - { - for (i = 0; i < l->len; ++i) - { - struct connection_entry *ce = l->array[i]; - if (ce->proto == PROTO_UDPv4) - { - ce->flags |= CE_DISABLED; - } - } - } - else - msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); + { + struct connection_entry *ce = l->array[i]; + if (ce->proto == PROTO_UDP) + { + ce->flags |= CE_DISABLED; + } + } + } + else + { + msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); } } @@ -1796,10 +1788,12 @@ connection_entry_load_re (struct connection_entry *ce, const struct remote_entry { if (re->remote) ce->remote = re->remote; - if (re->remote_port >= 0) + if (re->remote_port) ce->remote_port = re->remote_port; if (re->proto >= 0) ce->proto = re->proto; + if (re->af > 0) + ce->af = re->af; } static void @@ -1829,7 +1823,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne * If "proto tcp" is specified, make sure we know whether it is * tcp-client or tcp-server. */ - if (ce->proto == PROTO_TCPv4) + if (ce->proto == PROTO_TCP) msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); /* @@ -1842,10 +1836,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (options->inetd && (ce->local || ce->remote)) msg (M_USAGE, "--local or --remote cannot be used with --inetd"); - if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT) + if (options->inetd && ce->proto == PROTO_TCP_CLIENT) msg (M_USAGE, "--proto tcp-client cannot be used with --inetd"); - if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER) + if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER) msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server"); if (options->inetd == INETD_NOWAIT @@ -1866,13 +1860,11 @@ options_postprocess_verify_ce (const struct options *options, const struct conne * Sanity check on TCP mode options */ - if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT - && ce->proto != PROTO_TCPv6_CLIENT) + if (ce->connect_retry_defined && ce->proto != PROTO_TCP_CLIENT) msg (M_USAGE, "--connect-retry doesn't make sense unless also used with " "--proto tcp-client or tcp6-client"); - if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT - && ce->proto != PROTO_TCPv6_CLIENT) + if (ce->connect_timeout_defined && ce->proto != PROTO_TCP_CLIENT) msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with " "--proto tcp-client or tcp6-client"); @@ -1898,7 +1890,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (proto_is_net(ce->proto) && string_defined_equal (ce->local, ce->remote) - && ce->local_port == ce->remote_port) + && string_defined_equal (ce->local_port, ce->remote_port)) msg (M_USAGE, "--remote and --local addresses are the same"); if (string_defined_equal (ce->remote, options->ifconfig_local) @@ -1971,12 +1963,11 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp"); #endif - if (!ce->remote && (ce->proto == PROTO_TCPv4_CLIENT - || ce->proto == PROTO_TCPv6_CLIENT)) + if (!ce->remote && ce->proto == PROTO_TCP_CLIENT) msg (M_USAGE, "--remote MUST be used in TCP Client mode"); #ifdef ENABLE_HTTP_PROXY - if ((ce->http_proxy_options) && ce->proto != PROTO_TCPv4_CLIENT) + if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT) msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)"); #endif @@ -1986,12 +1977,11 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #endif #ifdef ENABLE_SOCKS - if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER) + if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER) msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode"); #endif - if ((ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER) - && connection_list_defined (options)) + if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1)) msg (M_USAGE, "TCP server mode allows at most one --remote address"); #if P2MP_SERVER @@ -2005,13 +1995,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--mode server only works with --dev tun or --dev tap"); if (options->pull) msg (M_USAGE, "--pull cannot be used with --mode server"); - if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCPv4_SERVER - || ce->proto == PROTO_TCPv6_SERVER)) + if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or proto tcp6-server"); #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && - (ce->proto != PROTO_TCPv4_SERVER && ce->proto != PROTO_TCPv6_SERVER)) + (ce->proto != PROTO_TCP_SERVER)) msg (M_USAGE, "--port-share only works in TCP server mode " "(--proto tcp-server or tcp6-server)"); #endif @@ -2041,8 +2030,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--inetd cannot be used with --mode server"); if (options->ipchange) msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); - if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER - || ce->proto == PROTO_TCPv6_SERVER)) + if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or --proto tcp6-server"); if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) @@ -2194,13 +2182,15 @@ options_postprocess_verify_ce (const struct options *options, const struct conne } else #endif -#ifdef ENABLE_CRYPTOAPI #ifdef MANAGMENT_EXTERNAL_KEY if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) - msg (M_USAGE, "--key and --management-external-key are mutually exclusive"); + { + msg (M_USAGE, "--key and --management-external-key are mutually exclusive"); + } + else #endif - - if (options->cryptoapi_cert) +#ifdef ENABLE_CRYPTOAPI + if (options->cryptoapi_cert) { if ((!(options->ca_file)) && (!(options->ca_path))) msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); @@ -2274,7 +2264,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne { notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); #ifdef MANAGMENT_EXTERNAL_KEY - if (!options->management_flags & MF_EXTERNAL_KEY) + if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } @@ -2350,35 +2340,33 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) #if P2MP_SERVER if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) { - if (ce->proto == PROTO_TCPv4) - ce->proto = PROTO_TCPv4_SERVER; + if (ce->proto == PROTO_TCP) + ce->proto = PROTO_TCP_SERVER; } #endif #if P2MP if (o->client) { - if (ce->proto == PROTO_TCPv4) - ce->proto = PROTO_TCPv4_CLIENT; - else if (ce->proto == PROTO_TCPv6) - ce->proto = PROTO_TCPv6_CLIENT; + if (ce->proto == PROTO_TCP) + ce->proto = PROTO_TCP_CLIENT; } #endif - if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) + if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; #ifdef ENABLE_SOCKS - if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) + if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; #endif if (!ce->bind_local) - ce->local_port = 0; + ce->local_port = NULL; /* if protocol forcing is enabled, disable all protocols except for the forced one */ - if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto)) + if (o->proto_force >= 0 && o->proto_force != ce->proto) ce->flags |= CE_DISABLED; - + /* * If --mssfix is supplied without a parameter, default * it to --fragment value, if --fragment is specified. @@ -2488,48 +2476,33 @@ options_postprocess_mutate (struct options *o) if (o->remote_list && !o->connection_list) { /* - * For compatibility with 2.0.x, map multiple --remote options - * into connection list (connection lists added in 2.1). + * Convert remotes into connection list */ - if (o->remote_list->len > 1 || o->force_connection_list) - { - const struct remote_list *rl = o->remote_list; - int i; - for (i = 0; i < rl->len; ++i) - { - const struct remote_entry *re = rl->array[i]; - struct connection_entry ce = o->ce; - struct connection_entry *ace; - - ASSERT (re->remote); - connection_entry_load_re (&ce, re); - ace = alloc_connection_entry (o, M_USAGE); - ASSERT (ace); - *ace = ce; - } - } - else if (o->remote_list->len == 1) /* one --remote option specified */ - { - connection_entry_load_re (&o->ce, o->remote_list->array[0]); - } - else - { - ASSERT (0); - } - } - if (o->connection_list) - { + const struct remote_list *rl = o->remote_list; int i; - for (i = 0; i < o->connection_list->len; ++i) - options_postprocess_mutate_ce (o, o->connection_list->array[i]); + for (i = 0; i < rl->len; ++i) + { + const struct remote_entry *re = rl->array[i]; + struct connection_entry ce = o->ce; + struct connection_entry *ace; + + ASSERT (re->remote); + connection_entry_load_re (&ce, re); + ace = alloc_connection_entry (o, M_USAGE); + ASSERT (ace); + *ace = ce; + } + } + ASSERT (o->connection_list); + int i; + for (i = 0; i < o->connection_list->len; ++i) + options_postprocess_mutate_ce (o, o->connection_list->array[i]); + #if HTTP_PROXY_OVERRIDE - if (o->http_proxy_override) + if (o->http_proxy_override) options_postprocess_http_proxy_override(o); #endif - } - else - options_postprocess_mutate_ce (o, &o->ce); #if P2MP /* @@ -2666,7 +2639,7 @@ options_postprocess_filechecks (struct options *options) errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, "--extra-certs"); #ifdef MANAGMENT_EXTERNAL_KEY - if(!options->management_flags & MF_EXTERNAL_KEY) + if(!(options->management_flags & MF_EXTERNAL_KEY)) #endif errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK, "--key"); @@ -2916,7 +2889,7 @@ options_string (const struct options *o, buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type)); buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame)); buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame)); - buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true)); + buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote),o->ce.af, true)); if (o->tun_ipv6) buf_printf (&out, ",tun-ipv6"); @@ -4096,8 +4069,6 @@ add_option (struct options *options, #ifdef ENABLE_MANAGEMENT else if (streq (p[0], "management") && p[1] && p[2]) { - int port = 0; - VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[2], "unix")) { @@ -4108,18 +4079,9 @@ add_option (struct options *options, goto err; #endif } - else - { - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "port number associated with --management directive is out of range"); - goto err; - } - } options->management_addr = p[1]; - options->management_port = port; + options->management_port = p[2]; if (p[3]) { options->management_user_pass = p[3]; @@ -4149,7 +4111,6 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_PROXY; - options->force_connection_list = true; } else if (streq (p[0], "management-hold")) { @@ -4378,11 +4339,6 @@ add_option (struct options *options, uninit_options (&sub); } } - else if (streq (p[0], "remote-ip-hint") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->remote_ip_hint = p[1]; - } #if HTTP_PROXY_OVERRIDE else if (streq (p[0], "http-proxy-override") && p[1] && p[2]) { @@ -4390,35 +4346,31 @@ add_option (struct options *options, options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc); if (!options->http_proxy_override) goto err; - options->force_connection_list = true; } #endif else if (streq (p[0], "remote") && p[1]) { struct remote_entry re; - re.remote = NULL; - re.remote_port = re.proto = -1; + re.remote = re.remote_port= NULL; + re.proto = -1; + re.af=0; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); re.remote = p[1]; if (p[2]) { - const int port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "remote: port number associated with host %s is out of range", p[1]); - goto err; - } - re.remote_port = port; + re.remote_port = p[2]; if (p[3]) { const int proto = ascii2proto (p[3]); + const sa_family_t af = ascii2af (p[3]); if (proto < 0) { msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]); goto err; } re.proto = proto; + re.af = af; } } if (permission_mask & OPT_P_GENERAL) @@ -4456,7 +4408,7 @@ add_option (struct options *options, else if (streq (p[0], "connect-retry-max") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - options->ce.connect_retry_max = positive_atoi (p[1]); + options->connect_retry_max = positive_atoi (p[1]); } else if (streq (p[0], "ipchange") && p[1]) { @@ -4811,43 +4763,19 @@ add_option (struct options *options, } else if (streq (p[0], "port") && p[1]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad port number: %s", p[1]); - goto err; - } - options->ce.local_port = options->ce.remote_port = port; + options->ce.local_port = options->ce.remote_port = p[1]; } else if (streq (p[0], "lport") && p[1]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if ((port != 0) && !legal_ipv4_port (port)) - { - msg (msglevel, "Bad local port number: %s", p[1]); - goto err; - } options->ce.local_port_defined = true; - options->ce.local_port = port; + options->ce.local_port = p[1]; } else if (streq (p[0], "rport") && p[1]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad remote port number: %s", p[1]); - goto err; - } - options->ce.remote_port = port; + options->ce.remote_port = p[1]; } else if (streq (p[0], "bind")) { @@ -4874,8 +4802,10 @@ add_option (struct options *options, else if (streq (p[0], "proto") && p[1]) { int proto; + sa_family_t af; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); proto = ascii2proto (p[1]); + af = ascii2af(p[1]); if (proto < 0) { msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", @@ -4884,6 +4814,7 @@ add_option (struct options *options, goto err; } options->ce.proto = proto; + options->ce.af = af; } else if (streq (p[0], "proto-force") && p[1]) { @@ -4896,7 +4827,6 @@ add_option (struct options *options, goto err; } options->proto_force = proto_force; - options->force_connection_list = true; } #ifdef ENABLE_HTTP_PROXY else if (streq (p[0], "http-proxy") && p[1]) @@ -4906,23 +4836,16 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); { - int port; if (!p[2]) { msg (msglevel, "http-proxy port number not defined"); goto err; } - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad http-proxy port number: %s", p[2]); - goto err; - } ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->server = p[1]; - ho->port = port; + ho->port = p[2]; } if (p[3]) @@ -4992,19 +4915,12 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); if (p[2]) - { - int port; - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad socks-proxy port number: %s", p[2]); - goto err; - } - options->ce.socks_proxy_port = port; + { + options->ce.socks_proxy_port = p[2]; } else { - options->ce.socks_proxy_port = 1080; + options->ce.socks_proxy_port = "1080"; } options->ce.socks_proxy_server = p[1]; options->ce.socks_proxy_authfile = p[3]; /* might be NULL */ @@ -5141,6 +5057,11 @@ add_option (struct options *options, msg (msglevel, "--max-routes parameter is out of range"); goto err; } + if (options->routes || options->routes_ipv6) + { + msg (msglevel, "--max-routes must to be specifed before any route/route-ipv6/redirect-gateway option"); + goto err; + } options->max_routes = max_routes; } else if (streq (p[0], "route-gateway") && p[1]) @@ -5293,20 +5214,6 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); script_security = atoi (p[1]); - if (p[2]) - { - if (streq (p[2], "execve")) - script_method = SM_EXECVE; - else if (streq (p[2], "system")) - script_method = SM_SYSTEM; - else - { - msg (msglevel, "unknown --script-security method: %s", p[2]); - goto err; - } - } - else - script_method = SM_EXECVE; } else if (streq (p[0], "mssfix")) { @@ -5652,18 +5559,9 @@ add_option (struct options *options, #if PORT_SHARE else if (streq (p[0], "port-share") && p[1] && p[2]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL); - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "port number associated with --port-share directive is out of range"); - goto err; - } - options->port_share_host = p[1]; - options->port_share_port = port; + options->port_share_port = p[2]; options->port_share_journal_dir = p[3]; } #endif diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index 306520b0..62b1cbf3 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -87,9 +87,10 @@ struct options_pre_pull struct connection_entry { int proto; - int local_port; + sa_family_t af; + const char* local_port; bool local_port_defined; - int remote_port; + const char* remote_port; const char *local; const char *remote; bool remote_float; @@ -97,7 +98,6 @@ struct connection_entry bool bind_local; int connect_retry_seconds; bool connect_retry_defined; - int connect_retry_max; int connect_timeout; bool connect_timeout_defined; #ifdef ENABLE_HTTP_PROXY @@ -105,7 +105,7 @@ struct connection_entry #endif #ifdef ENABLE_SOCKS const char *socks_proxy_server; - int socks_proxy_port; + const char *socks_proxy_port; const char *socks_proxy_authfile; bool socks_proxy_retry; #endif @@ -143,8 +143,9 @@ struct connection_entry struct remote_entry { const char *remote; - int remote_port; + const char *remote_port; int proto; + sa_family_t af; }; #define CONNECTION_LIST_SIZE 64 @@ -154,7 +155,6 @@ struct connection_list int len; int current; int n_cycles; - bool no_advance; struct connection_entry *array[CONNECTION_LIST_SIZE]; }; @@ -168,6 +168,8 @@ struct remote_host_store { # define RH_HOST_LEN 80 char host[RH_HOST_LEN]; +#define RH_PORT_LEN 20 + char port[RH_PORT_LEN]; }; /* Command line options */ @@ -203,11 +205,15 @@ struct options #endif /* Networking parms */ + int connect_retry_max; struct connection_entry ce; - char *remote_ip_hint; struct connection_list *connection_list; + struct remote_list *remote_list; - bool force_connection_list; + /* Do not advanced the connection or remote addr list*/ + bool no_advance; + /* Counts the number of unsuccessful connection attempts */ + unsigned int unsuccessful_attempts; #if HTTP_PROXY_OVERRIDE struct http_proxy_options *http_proxy_override; @@ -354,7 +360,7 @@ struct options #ifdef ENABLE_MANAGEMENT const char *management_addr; - int management_port; + const char *management_port; const char *management_user_pass; int management_log_history_cache; int management_echo_buffer_size; @@ -449,7 +455,7 @@ struct options bool auth_user_pass_verify_script_via_file; #if PORT_SHARE char *port_share_host; - int port_share_port; + char *port_share_port; const char *port_share_journal_dir; #endif #endif @@ -769,20 +775,5 @@ bool get_ipv6_addr( const char * prefix_str, struct in6_addr *network, unsigned int * netbits, char ** printable_ipv6, int msglevel ); -/* - * inline functions - */ -static inline bool -connection_list_defined (const struct options *o) -{ - return o->connection_list != NULL; -} - -static inline void -connection_list_set_no_advance (struct options *o) -{ - if (o->connection_list) - o->connection_list->no_advance = true; -} #endif diff --git a/openvpn/src/openvpn/pf.c b/openvpn/src/openvpn/pf.c index 3c468019..aafe9ff0 100644 --- a/openvpn/src/openvpn/pf.c +++ b/openvpn/src/openvpn/pf.c @@ -606,7 +606,6 @@ pf_destroy_context (struct pf_context *pfc) if (pfc->filename) { platform_unlink (pfc->filename); - free (pfc->filename); } #endif if (pfc->pfs) diff --git a/openvpn/src/openvpn/pkcs11.c b/openvpn/src/openvpn/pkcs11.c index 645f1f48..3a15ef68 100644 --- a/openvpn/src/openvpn/pkcs11.c +++ b/openvpn/src/openvpn/pkcs11.c @@ -887,7 +887,7 @@ show_pkcs11_ids ( (dn = pkcs11_certificate_dn ( certificate, &gc - )) + )) == NULL ) { goto cleanup1; } diff --git a/openvpn/src/openvpn/platform.c b/openvpn/src/openvpn/platform.c index c79f6807..e79de7a7 100644 --- a/openvpn/src/openvpn/platform.c +++ b/openvpn/src/openvpn/platform.c @@ -205,7 +205,7 @@ platform_chdir (const char* dir) } /* - * convert system() return into a success/failure value + * convert execve() return into a success/failure value */ bool platform_system_ok (int stat) @@ -217,19 +217,6 @@ platform_system_ok (int stat) #endif } -/* - * did system() call execute the given command? - */ -bool -platform_system_executed (int stat) -{ -#ifdef WIN32 - return stat != -1; -#else - return stat != -1 && WEXITSTATUS (stat) != 127; -#endif -} - int platform_access (const char *path, int mode) { @@ -288,18 +275,6 @@ platform_unlink (const char *filename) #endif } -int platform_system(const char *command) { - int ret; -#ifdef WIN32 - struct gc_arena gc = gc_new (); - ret = _wsystem (wide_string (command, &gc)); - gc_free (&gc); -#else - ret = system (command); -#endif - return ret; -} - int platform_putenv(char *string) { int status; diff --git a/openvpn/src/openvpn/platform.h b/openvpn/src/openvpn/platform.h index 7bd20671..7c0a4d72 100644 --- a/openvpn/src/openvpn/platform.h +++ b/openvpn/src/openvpn/platform.h @@ -113,10 +113,8 @@ void platform_mlockall (bool print_msg); /* Disable paging */ int platform_chdir (const char* dir); -/* interpret the status code returned by system()/execve() */ +/* interpret the status code returned by execve() */ bool platform_system_ok (int stat); -bool platform_system_executed (int stat); -int platform_system(const char *command); int platform_access (const char *path, int mode); diff --git a/openvpn/src/openvpn/plugin.c b/openvpn/src/openvpn/plugin.c index d785daec..83f79e4f 100644 --- a/openvpn/src/openvpn/plugin.c +++ b/openvpn/src/openvpn/plugin.c @@ -98,7 +98,9 @@ plugin_type_name (const int type) case OPENVPN_PLUGIN_TLS_FINAL: return "PLUGIN_TLS_FINAL"; case OPENVPN_PLUGIN_ENABLE_PF: - return "OPENVPN_PLUGIN_ENABLE_PF"; + return "PLUGIN_ENABLE_PF"; + case OPENVPN_PLUGIN_ROUTE_PREDOWN: + return "PLUGIN_ROUTE_PREDOWN"; default: return "PLUGIN_???"; } @@ -376,10 +378,10 @@ plugin_open_item (struct plugin *p, struct openvpn_plugin_args_open_return retargs; CLEAR(retargs); + retargs.return_list = retlist; if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) == OPENVPN_PLUGIN_FUNC_SUCCESS) { p->plugin_type_mask = retargs.type_mask; p->plugin_handle = retargs.handle; - retlist = retargs.return_list; } else { p->plugin_handle = NULL; } @@ -458,8 +460,8 @@ plugin_call_item (const struct plugin *p, struct openvpn_plugin_args_func_return retargs; CLEAR(retargs); + retargs.return_list = retlist; status = (*p->func3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs); - retlist = retargs.return_list; } else if (p->func2) status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist); else if (p->func1) diff --git a/openvpn/src/openvpn/proto.c b/openvpn/src/openvpn/proto.c index 2cf8314b..b437f1ad 100644 --- a/openvpn/src/openvpn/proto.c +++ b/openvpn/src/openvpn/proto.c @@ -36,11 +36,12 @@ #include "memdbg.h" /* - * If raw tunnel packet is IPv4, return true and increment + * If raw tunnel packet is IPv, return true and increment * buffer offset to start of IP header. */ +static bool -is_ipv4 (int tunnel_type, struct buffer *buf) +is_ipv_X ( int tunnel_type, struct buffer *buf, int ip_ver ) { int offset; const struct openvpn_iphdr *ih; @@ -68,12 +69,24 @@ is_ipv4 (int tunnel_type, struct buffer *buf) ih = (const struct openvpn_iphdr *) (BPTR (buf) + offset); - if (OPENVPN_IPH_GET_VER (ih->version_len) == 4) + /* IP version is stored in the same bits for IPv4 or IPv6 header */ + if (OPENVPN_IPH_GET_VER (ih->version_len) == ip_ver) return buf_advance (buf, offset); else return false; } +bool +is_ipv4 (int tunnel_type, struct buffer *buf) +{ + return is_ipv_X( tunnel_type, buf, 4 ); +} +bool +is_ipv6 (int tunnel_type, struct buffer *buf) +{ + return is_ipv_X( tunnel_type, buf, 6 ); +} + #ifdef PACKET_TRUNCATION_CHECK void diff --git a/openvpn/src/openvpn/proto.h b/openvpn/src/openvpn/proto.h index 8cd4edec..f91e787e 100644 --- a/openvpn/src/openvpn/proto.h +++ b/openvpn/src/openvpn/proto.h @@ -219,10 +219,11 @@ struct ip_tcp_udp_hdr { - sizeof(struct openvpn_tcphdr)) /* - * If raw tunnel packet is IPv4, return true and increment + * If raw tunnel packet is IPv4 or IPv6, return true and increment * buffer offset to start of IP header. */ bool is_ipv4 (int tunnel_type, struct buffer *buf); +bool is_ipv6 (int tunnel_type, struct buffer *buf); #ifdef PACKET_TRUNCATION_CHECK void ipv4_packet_size_verify (const uint8_t *data, diff --git a/openvpn/src/openvpn/proxy.c b/openvpn/src/openvpn/proxy.c index 363d8a73..17748504 100644 --- a/openvpn/src/openvpn/proxy.c +++ b/openvpn/src/openvpn/proxy.c @@ -444,7 +444,7 @@ http_proxy_new (const struct http_proxy_options *o) if (!o || !o->server) msg (M_FATAL, "HTTP_PROXY: server not specified"); - ASSERT (legal_ipv4_port (o->port)); + ASSERT ( o->port); ALLOC_OBJ_CLEAR (p, struct http_proxy_info); p->options = *o; @@ -493,7 +493,7 @@ bool establish_http_proxy_passthru (struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *port, /* openvpn server port */ struct buffer *lookahead, volatile int *signal_received) { @@ -521,7 +521,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, else { /* format HTTP CONNECT message */ - openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s", + openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); @@ -642,7 +642,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* now send the phase 3 reply */ /* format HTTP CONNECT message */ - openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s", + openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); @@ -730,7 +730,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* build the digest response */ - openvpn_snprintf (uri, sizeof(uri), "%s:%d", + openvpn_snprintf (uri, sizeof(uri), "%s:%s", host, port); diff --git a/openvpn/src/openvpn/proxy.h b/openvpn/src/openvpn/proxy.h index 5e476f16..9d75e063 100644 --- a/openvpn/src/openvpn/proxy.h +++ b/openvpn/src/openvpn/proxy.h @@ -40,7 +40,7 @@ struct http_proxy_options { const char *server; - int port; + const char *port; bool retry; int timeout; @@ -57,7 +57,7 @@ struct http_proxy_options { struct http_proxy_options_simple { const char *server; - int port; + const char *port; int auth_retry; }; @@ -80,7 +80,7 @@ void http_proxy_close (struct http_proxy_info *hp); bool establish_http_proxy_passthru (struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *port, /* openvpn server port */ struct buffer *lookahead, volatile int *signal_received); diff --git a/openvpn/src/openvpn/ps.c b/openvpn/src/openvpn/ps.c index 6495dc71..c1868642 100644 --- a/openvpn/src/openvpn/ps.c +++ b/openvpn/src/openvpn/ps.c @@ -330,8 +330,8 @@ journal_add (const char *journal_dir, struct proxy_connection *pc, struct proxy_ if (!getpeername (pc->sd, (struct sockaddr *) &from.addr.sa, &slen) && !getsockname (cp->sd, (struct sockaddr *) &to.addr.sa, &dlen)) { - const char *f = print_sockaddr_ex (&from, ":", PS_SHOW_PORT, &gc); - const char *t = print_sockaddr_ex (&to, ":", PS_SHOW_PORT, &gc); + const char *f = print_openvpn_sockaddr (&from, &gc); + const char *t = print_openvpn_sockaddr (&to, &gc); fnlen = strlen(journal_dir) + strlen(t) + 2; jfn = (char *) malloc(fnlen); check_malloc_return (jfn); @@ -403,8 +403,7 @@ proxy_connection_io_requeue (struct proxy_connection *pc, const int rwflags_new, static bool proxy_entry_new (struct proxy_connection **list, struct event_set *es, - const in_addr_t server_addr, - const int server_port, + const struct sockaddr_in server_addr, const socket_descriptor_t sd_client, struct buffer *initial_data, const char *journal_dir) @@ -416,7 +415,7 @@ proxy_entry_new (struct proxy_connection **list, struct proxy_connection *cp; /* connect to port share server */ - sock_addr_set (&osaddr, server_addr, server_port); + osaddr.addr.in4 = server_addr; if ((sd_server = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { msg (M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); @@ -482,8 +481,7 @@ static bool control_message_from_parent (const socket_descriptor_t sd_control, struct proxy_connection **list, struct event_set *es, - const in_addr_t server_addr, - const int server_port, + const struct sockaddr_in server_addr, const int max_initial_buf, const char *journal_dir) { @@ -539,7 +537,6 @@ control_message_from_parent (const socket_descriptor_t sd_control, if (proxy_entry_new (list, es, server_addr, - server_port, received_fd, &buf, journal_dir)) @@ -716,8 +713,7 @@ proxy_connection_io_dispatch (struct proxy_connection *pc, * This is the main function for the port share proxy background process. */ static void -port_share_proxy (const in_addr_t hostaddr, - const int port, +port_share_proxy (const struct sockaddr_in hostaddr, const socket_descriptor_t sd_control, const int max_initial_buf, const char *journal_dir) @@ -754,7 +750,7 @@ port_share_proxy (const in_addr_t hostaddr, const struct event_set_return *e = &esr[i]; if (e->arg == sd_control_marker) { - if (!control_message_from_parent (sd_control, &list, es, hostaddr, port, max_initial_buf, journal_dir)) + if (!control_message_from_parent (sd_control, &list, es, hostaddr, max_initial_buf, journal_dir)) goto done; } else @@ -789,14 +785,16 @@ port_share_proxy (const in_addr_t hostaddr, */ struct port_share * port_share_open (const char *host, - const int port, + const char *port, const int max_initial_buf, const char *journal_dir) { pid_t pid; socket_descriptor_t fd[2]; - in_addr_t hostaddr; + struct sockaddr_in hostaddr; struct port_share *ps; + int status; + struct addrinfo* ai; ALLOC_OBJ_CLEAR (ps, struct port_share); ps->foreground_fd = -1; @@ -805,7 +803,12 @@ port_share_open (const char *host, /* * Get host's IP address */ - hostaddr = getaddr (GETADDR_RESOLVE|GETADDR_HOST_ORDER|GETADDR_FATAL, host, 0, NULL, NULL); + + status = openvpn_getaddrinfo (GETADDR_RESOLVE|GETADDR_HOST_ORDER|GETADDR_FATAL, + host, port, 0, NULL, AF_INET, &ai); + ASSERT (status==0); + hostaddr = *((struct sockaddr_in*) ai->ai_addr); + freeaddrinfo(ai); /* * Make a socket for foreground and background processes @@ -881,7 +884,7 @@ port_share_open (const char *host, prng_init (NULL, 0); /* execute the event loop */ - port_share_proxy (hostaddr, port, fd[1], max_initial_buf, journal_dir); + port_share_proxy (hostaddr, fd[1], max_initial_buf, journal_dir); openvpn_close_socket (fd[1]); diff --git a/openvpn/src/openvpn/ps.h b/openvpn/src/openvpn/ps.h index 4280635d..e8919d48 100644 --- a/openvpn/src/openvpn/ps.h +++ b/openvpn/src/openvpn/ps.h @@ -44,7 +44,7 @@ struct port_share { extern struct port_share *port_share; struct port_share *port_share_open (const char *host, - const int port, + const char *port, const int max_initial_buf, const char *journal_dir); diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index 05a38e0d..929a2f24 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -49,7 +49,7 @@ void receive_auth_failed (struct context *c, const struct buffer *buffer) { msg (M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); - connection_list_set_no_advance(&c->options); + c->options.no_advance=true; if (c->options.pull) { switch (auth_retry_get ()) diff --git a/openvpn/src/openvpn/route.c b/openvpn/src/openvpn/route.c index caa2459b..8a778884 100644 --- a/openvpn/src/openvpn/route.c +++ b/openvpn/src/openvpn/route.c @@ -294,12 +294,12 @@ init_route (struct route *r, if(get_special_addr (rl, ro->network, &special.s_addr, &status)) { special.s_addr = htonl(special.s_addr); - ret = openvpn_getaddrinfo(0, inet_ntoa(special), 0, NULL, + ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL, AF_INET, network_list); } else ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, - ro->network, 0, NULL, AF_INET, network_list); + ro->network, NULL, 0, NULL, AF_INET, network_list); status = (ret == 0); @@ -2722,7 +2722,7 @@ get_default_gateway (struct route_gateway_info *rgi) if (write(s, (char *)&m_rtmsg, l) < 0) { - warn("writing to routing socket"); + msg(M_WARN|M_ERRNO, "Could not retrieve default gateway from route socket:"); gc_free (&gc); close(s); return; @@ -3088,7 +3088,7 @@ get_default_gateway (struct route_gateway_info *rgi) if (write(s, (char *)&m_rtmsg, l) < 0) { - warn("writing to routing socket"); + msg(M_WARN|M_ERRNO, "Could not retrieve default gateway from route socket:"); gc_free (&gc); close(s); return; diff --git a/openvpn/src/openvpn/sig.c b/openvpn/src/openvpn/sig.c index 0ebde245..7ddfd0ed 100644 --- a/openvpn/src/openvpn/sig.c +++ b/openvpn/src/openvpn/sig.c @@ -97,14 +97,14 @@ void throw_signal (const int signum) { siginfo_static.signal_received = signum; - siginfo_static.hard = true; + siginfo_static.source = SIG_SOURCE_HARD; } void throw_signal_soft (const int signum, const char *signal_text) { siginfo_static.signal_received = signum; - siginfo_static.hard = false; + siginfo_static.source = SIG_SOURCE_SOFT; siginfo_static.signal_text = signal_text; } @@ -115,7 +115,7 @@ signal_reset (struct signal_info *si) { si->signal_received = 0; si->signal_text = NULL; - si->hard = false; + si->source = SIG_SOURCE_SOFT; } } @@ -124,9 +124,23 @@ print_signal (const struct signal_info *si, const char *title, int msglevel) { if (si) { - const char *hs = (si->hard ? "hard" : "soft"); const char *type = (si->signal_text ? si->signal_text : ""); const char *t = (title ? title : "process"); + const char *hs; + switch (si->source) + { + case SIG_SOURCE_SOFT: + hs= "soft"; + break; + case SIG_SOURCE_HARD: + hs = "hard"; + break; + case SIG_SOURCE_CONNECTION_FAILED: + hs = "connection failed(soft)"; + break; + default: + ASSERT(0); + } switch (si->signal_received) { diff --git a/openvpn/src/openvpn/sig.h b/openvpn/src/openvpn/sig.h index 987efef5..c2c7b54e 100644 --- a/openvpn/src/openvpn/sig.h +++ b/openvpn/src/openvpn/sig.h @@ -28,6 +28,15 @@ #include "status.h" #include "win32.h" + + +#define SIG_SOURCE_SOFT 0 +#define SIG_SOURCE_HARD 1 +/* CONNECTION_FAILED is also a "soft" status, + * It is thrown if a connection attempt fails + */ +#define SIG_SOURCE_CONNECTION_FAILED 2 + /* * Signal information, including signal code * and descriptive text. @@ -35,7 +44,7 @@ struct signal_info { volatile int signal_received; - volatile bool hard; + volatile int source; const char *signal_text; }; diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 1e38e82c..c861fdd2 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -101,8 +101,8 @@ getaddr (unsigned int flags, { struct addrinfo *ai; int status; - status = openvpn_getaddrinfo(flags, hostname, resolve_retry_seconds, - signal_received, AF_INET, &ai); + status = openvpn_getaddrinfo (flags & ~GETADDR_HOST_ORDER, hostname, NULL, + resolve_retry_seconds, signal_received, AF_INET, &ai); if(status==0) { struct in_addr ia; if(succeeded) @@ -125,6 +125,7 @@ getaddr (unsigned int flags, int openvpn_getaddrinfo (unsigned int flags, const char *hostname, + const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, @@ -135,6 +136,8 @@ openvpn_getaddrinfo (unsigned int flags, int sigrec = 0; int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS; struct gc_arena gc = gc_new (); + const char *print_hostname; + const char *print_servname; ASSERT(res); @@ -142,8 +145,19 @@ openvpn_getaddrinfo (unsigned int flags, res_init (); #endif - if (!hostname) - hostname = "::"; + ASSERT (hostname || servname); + ASSERT (!(flags & GETADDR_HOST_ORDER)); + + if(hostname) + print_hostname = hostname; + else + print_hostname = "undefined"; + + if(servname) + print_servname = servname; + else + print_servname = ""; + if (flags & GETADDR_RANDOMIZE) hostname = hostname_randomize(hostname, &gc); @@ -159,25 +173,36 @@ openvpn_getaddrinfo (unsigned int flags, CLEAR(hints); hints.ai_family = ai_family; hints.ai_flags = AI_NUMERICHOST; - hints.ai_socktype = dnsflags_to_socktype(flags); + hints.ai_socktype = SOCK_STREAM; + + if(flags & GETADDR_PASSIVE) + hints.ai_flags |= AI_PASSIVE; + + if(flags & GETADDR_DATAGRAM) + hints.ai_socktype = SOCK_DGRAM; + else + hints.ai_socktype = SOCK_STREAM; - status = getaddrinfo(hostname, NULL, &hints, res); + status = getaddrinfo(hostname, servname, &hints, res); if (status != 0) /* parse as numeric address failed? */ { const int fail_wait_interval = 5; /* seconds */ - int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : (resolve_retry_seconds / fail_wait_interval); + /* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */ + int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : + ((resolve_retry_seconds + 4)/ fail_wait_interval); const char *fmt; int level = 0; - - fmt = "RESOLVE: Cannot resolve host address: %s: %s"; + + fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) - fmt = "RESOLVE: Cannot resolve host address: %s: %s (I would have retried this name query if you had specified the --resolv-retry option.)"; + fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s) (I would have retried this name query if you had specified the --resolv-retry option.)"; if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL) { - msg (msglevel, "RESOLVE: Cannot parse IP address: %s", hostname); + msg (msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", + print_hostname,print_servname, gai_strerror(status)); goto done; } @@ -199,10 +224,10 @@ openvpn_getaddrinfo (unsigned int flags, while (true) { /* try hostname lookup */ - hints.ai_flags = 0; + hints.ai_flags &= ~AI_NUMERICHOST; dmsg (D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", flags, hints.ai_family, hints.ai_socktype); - status = getaddrinfo(hostname, NULL, &hints, res); + status = getaddrinfo(hostname, servname, &hints, res); if (signal_received) { @@ -236,7 +261,8 @@ openvpn_getaddrinfo (unsigned int flags, msg (level, fmt, - hostname, + print_hostname, + print_servname, gai_strerror(status)); if (--resolve_retries <= 0) @@ -249,7 +275,8 @@ openvpn_getaddrinfo (unsigned int flags, /* hostname resolve succeeded */ - /* Do not chose an IP Addresse by random or change the order * + /* + * Do not chose an IP Addresse by random or change the order * * of IP addresses, doing so will break RFC 3484 address selection * */ } @@ -419,59 +446,6 @@ mac_addr_safe (const char *mac_addr) return true; } -static void -update_remote (const char* host, - struct openvpn_sockaddr *addr, - bool *changed, - const unsigned int sockflags) -{ - switch(addr->addr.sa.sa_family) - { - case AF_INET: - if (host && addr) - { - const in_addr_t new_addr = getaddr ( - sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sockflags), - host, - 1, - NULL, - NULL); - if (new_addr && addr->addr.in4.sin_addr.s_addr != new_addr) - { - addr->addr.in4.sin_addr.s_addr = new_addr; - *changed = true; - } - } - break; - case AF_INET6: - if (host && addr) - { - int status; - struct addrinfo* ai; - - status = openvpn_getaddrinfo(sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sockflags), host, 1, NULL, AF_INET6, &ai); - - if ( status ==0 ) - { - struct sockaddr_in6 sin6; - CLEAR(sin6); - sin6 = *((struct sockaddr_in6*)ai->ai_addr); - if (!IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr, &addr->addr.in6.sin6_addr)) - { - int port = addr->addr.in6.sin6_port; - /* ipv6 requires also eg. sin6_scope_id => easier to fully copy and override port */ - addr->addr.in6 = sin6; - addr->addr.in6.sin6_port = port; - } - freeaddrinfo(ai); - } - } - break; - default: - ASSERT(0); - } -} - static int socket_get_sndbuf (int sd) { @@ -643,51 +617,41 @@ create_socket_tcp (int af) } static socket_descriptor_t -create_socket_udp (const unsigned int flags) +create_socket_udp (const int af, const unsigned int flags) { socket_descriptor_t sd; - if ((sd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) - msg (M_ERR, "UDP: Cannot create UDP socket"); + if ((sd = socket (af, SOCK_DGRAM, IPPROTO_UDP)) < 0) + msg (M_ERR, "UDP: Cannot create UDP/UDP6 socket"); #if ENABLE_IP_PKTINFO else if (flags & SF_USE_IP_PKTINFO) { int pad = 1; + if(af == AF_INET) + { #ifdef IP_PKTINFO - if (setsockopt (sd, SOL_IP, IP_PKTINFO, - (void*)&pad, sizeof(pad)) < 0) - msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); + if (setsockopt (sd, SOL_IP, IP_PKTINFO, + (void*)&pad, sizeof(pad)) < 0) + msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); #elif defined(IP_RECVDSTADDR) - if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR, - (void*)&pad, sizeof(pad)) < 0) - msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); + if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR, + (void*)&pad, sizeof(pad)) < 0) + msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); #else #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif - } -#endif - return sd; -} - -static socket_descriptor_t -create_socket_udp6 (const unsigned int flags) -{ - socket_descriptor_t sd; - - if ((sd = socket (PF_INET6, SOCK_DGRAM, IPPROTO_UDP)) < 0) - msg (M_ERR, "UDP: Cannot create UDP6 socket"); -#if ENABLE_IP_PKTINFO - else if (flags & SF_USE_IP_PKTINFO) - { - int pad = 1; + } + else if (af == AF_INET6 ) + { #ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ - if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, - (void*)&pad, sizeof(pad)) < 0) + if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, + (void*)&pad, sizeof(pad)) < 0) #else - if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, - (void*)&pad, sizeof(pad)) < 0) + if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, + (void*)&pad, sizeof(pad)) < 0) #endif - msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO"); + msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO"); + } } #endif return sd; @@ -696,10 +660,16 @@ create_socket_udp6 (const unsigned int flags) static void create_socket (struct link_socket *sock) { - /* create socket */ - if (sock->info.proto == PROTO_UDPv4) + /* create socket, use information carried over from getaddrinfo */ + const int ai_proto = sock->info.lsa->actual.ai_protocol; + const int ai_family = sock->info.lsa->actual.ai_family; + + ASSERT (sock->info.af == AF_UNSPEC || sock->info.af == ai_family); + + + if (ai_proto == IPPROTO_UDP) { - sock->sd = create_socket_udp (sock->sockflags); + sock->sd = create_socket_udp (ai_family, sock->sockflags); sock->sockflags |= SF_GETADDRINFO_DGRAM; #ifdef ENABLE_SOCKS @@ -707,20 +677,9 @@ create_socket (struct link_socket *sock) sock->ctrl_sd = create_socket_tcp (AF_INET); #endif } - else if (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv4_CLIENT) - { - sock->sd = create_socket_tcp (AF_INET); - } - else if (sock->info.proto == PROTO_TCPv6_SERVER - || sock->info.proto == PROTO_TCPv6_CLIENT) + else if (ai_proto == IPPROTO_TCP) { - sock->sd = create_socket_tcp (AF_INET6); - } - else if (sock->info.proto == PROTO_UDPv6) - { - sock->sd = create_socket_udp6 (sock->sockflags); - sock->sockflags |= SF_GETADDRINFO_DGRAM; + sock->sd = create_socket_tcp (ai_family); } else { @@ -740,10 +699,9 @@ create_socket (struct link_socket *sock) /* * Functions used for establishing a TCP stream connection. */ - static void socket_do_listen (socket_descriptor_t sd, - const struct openvpn_sockaddr *local, + const struct sockaddr *local, bool do_listen, bool do_set_nonblock) { @@ -833,8 +791,7 @@ static int socket_listen_accept (socket_descriptor_t sd, struct link_socket_actual *act, const char *remote_dynamic, - bool *remote_changed, - const struct openvpn_sockaddr *local, + const struct addrinfo *local, bool do_listen, bool nowait, volatile int *signal_received) @@ -845,7 +802,7 @@ socket_listen_accept (socket_descriptor_t sd, int new_sd = SOCKET_UNDEFINED; CLEAR (*act); - socket_do_listen (sd, local, do_listen, true); + socket_do_listen (sd, local->ai_addr, do_listen, true); while (true) { @@ -880,18 +837,26 @@ socket_listen_accept (socket_descriptor_t sd, if (socket_defined (new_sd)) { - update_remote (remote_dynamic, &remote_verify, remote_changed, 0); - if (addr_defined (&remote_verify) - && !addr_match (&remote_verify, &act->dest)) - { - msg (M_WARN, - "TCP NOTE: Rejected connection attempt from %s due to --remote setting", - print_link_socket_actual (act, &gc)); - if (openvpn_close_socket (new_sd)) - msg (M_ERR, "TCP: close socket failed (new_sd)"); - } + struct addrinfo* ai; + if(remote_dynamic) + openvpn_getaddrinfo(0, remote_dynamic, NULL, 1, NULL, + remote_verify.addr.sa.sa_family, &ai); + + if(ai && !addrlist_match(&remote_verify, ai)) + { + msg (M_WARN, + "TCP NOTE: Rejected connection attempt from %s due to --remote setting", + print_link_socket_actual (act, &gc)); + if (openvpn_close_socket (new_sd)) + msg (M_ERR, "TCP: close socket failed (new_sd)"); + freeaddrinfo(ai); + } else - break; + { + if(ai) + freeaddrinfo(ai); + break; + } } openvpn_sleep (1); } @@ -907,17 +872,37 @@ socket_listen_accept (socket_descriptor_t sd, void socket_bind (socket_descriptor_t sd, - struct openvpn_sockaddr *local, + struct addrinfo *local, + int ai_family, const char *prefix) { struct gc_arena gc = gc_new (); - if (bind (sd, &local->addr.sa, af_addr_size(local->addr.sa.sa_family))) + /* FIXME (schwabe) + * getaddrinfo for the bind address might return multiple AF_INET/AF_INET6 + * entries for the requested protocol. + * For example if an address has multiple A records + * What is the correct way to deal with it? + */ + + ASSERT(local); + struct addrinfo* cur; + + /* find the first addrinfo with correct ai_family */ + for (cur = local; cur; cur=cur->ai_next) + { + if(cur->ai_family == ai_family) + break; + } + if (!cur) + msg (M_FATAL, "%s: Socket bind failed: No addr to bind has no v4/v6 record", prefix); + + if (bind (sd, cur->ai_addr, cur->ai_addrlen)) { const int errnum = openvpn_errno (); msg (M_FATAL, "%s: Socket bind failed on local address %s: %s", prefix, - print_sockaddr (local, &gc), + print_sockaddr_ex (local->ai_addr, ":", PS_SHOW_PORT, &gc), strerror_ts (errnum, &gc)); } gc_free (&gc); @@ -925,7 +910,7 @@ socket_bind (socket_descriptor_t sd, int openvpn_connect (socket_descriptor_t sd, - struct openvpn_sockaddr *remote, + const struct sockaddr *remote, int connect_timeout, volatile int *signal_received) { @@ -933,7 +918,7 @@ openvpn_connect (socket_descriptor_t sd, #ifdef CONNECT_NONBLOCK set_nonblock (sd); - status = connect (sd, &remote->addr.sa, af_addr_size(remote->addr.sa.sa_family)); + status = connect (sd, remote, af_addr_size(remote->sa_family)); if (status) status = openvpn_errno (); if ( @@ -1005,85 +990,76 @@ openvpn_connect (socket_descriptor_t sd, return status; } +void set_actual_address (struct link_socket_actual* actual, struct addrinfo* ai) +{ + CLEAR (*actual); + ASSERT (ai); + + if (ai->ai_family == AF_INET) + actual->dest.addr.in4 = + *((struct sockaddr_in*) ai->ai_addr); + else if (ai->ai_family == AF_INET6) + actual->dest.addr.in6 = + *((struct sockaddr_in6*) ai->ai_addr); + else + ASSERT(0); + + /* Copy addrinfo sock parameters for socket creating */ + actual->ai_family = ai->ai_family; + actual->ai_protocol = ai->ai_protocol; + actual->ai_socktype = ai->ai_socktype; +} + void socket_connect (socket_descriptor_t *sd, - struct openvpn_sockaddr *local, - bool bind_local, - struct openvpn_sockaddr *remote, - const bool connection_profiles_defined, - const char *remote_dynamic, - bool *remote_changed, - const int connect_retry_seconds, - const int connect_timeout, - const int connect_retry_max, - const unsigned int sockflags, - volatile int *signal_received) + struct link_socket_addr *lsa, + const int connect_timeout, + struct signal_info* sig_info) { struct gc_arena gc = gc_new (); - int retry = 0; - + const struct sockaddr *dest = &lsa->actual.dest.addr.sa; + + int status; + #ifdef CONNECT_NONBLOCK - msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]", - print_sockaddr (remote, &gc)); + msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]", + print_sockaddr (dest, &gc)); #else - msg (M_INFO, "Attempting to establish TCP connection with %s", - print_sockaddr (remote, &gc)); + msg (M_INFO, "Attempting to establish TCP connection with %s", + print_sockaddr (dest, &gc)); #endif - - while (true) - { - int status; - + #ifdef ENABLE_MANAGEMENT - if (management) + if (management) management_set_state (management, - OPENVPN_STATE_TCP_CONNECT, - NULL, - (in_addr_t)0, - (in_addr_t)0); + OPENVPN_STATE_TCP_CONNECT, + NULL, + (in_addr_t)0, + (in_addr_t)0); #endif - status = openvpn_connect (*sd, remote, connect_timeout, signal_received); + /* Set the actual address */ + status = openvpn_connect (*sd, dest, connect_timeout, &sig_info->signal_received); - get_signal (signal_received); - if (*signal_received) + get_signal (&sig_info->signal_received); + if (sig_info->signal_received) goto done; - if (!status) - break; - - msg (D_LINK_ERRORS, - "TCP: connect to %s failed, will try again in %d seconds: %s", - print_sockaddr (remote, &gc), - connect_retry_seconds, - strerror_ts (status, &gc)); - - gc_reset (&gc); + if (status) { - openvpn_close_socket (*sd); - *sd = SOCKET_UNDEFINED; + msg (D_LINK_ERRORS, + "TCP: connect to %s failed: %s", + print_sockaddr (dest, &gc), + strerror_ts (status, &gc)); - if ((connect_retry_max > 0 && ++retry >= connect_retry_max) || connection_profiles_defined) - { - *signal_received = SIGUSR1; - goto done; - } - - openvpn_sleep (connect_retry_seconds); - - get_signal (signal_received); - if (*signal_received) - goto done; - - *sd = create_socket_tcp (local->addr.sa.sa_family); - - if (bind_local) - socket_bind (*sd, local, "TCP Client"); - update_remote (remote_dynamic, remote, remote_changed, sockflags); - } - - msg (M_INFO, "TCP connection established with %s", - print_sockaddr (remote, &gc)); + openvpn_close_socket (*sd); + *sd = SOCKET_UNDEFINED; + sig_info->signal_received = SIGUSR1; + sig_info->source = SIG_SOURCE_CONNECTION_FAILED; + } else { + msg (M_INFO, "TCP connection established with %s", + print_sockaddr (dest, &gc)); + } done: gc_free (&gc); @@ -1134,72 +1110,47 @@ frame_adjust_path_mtu (struct frame *frame, int pmtu, int proto) } static void -resolve_bind_local (struct link_socket *sock) +resolve_bind_local (struct link_socket *sock, const sa_family_t af) { struct gc_arena gc = gc_new (); /* resolve local address if undefined */ - if (!addr_defined (&sock->info.lsa->local)) + if (!sock->info.lsa->bind_local) { - /* may return AF_{INET|INET6} guessed from local_host */ - switch(addr_guess_family(sock->info.proto, sock->local_host)) - { - case AF_INET: - sock->info.lsa->local.addr.in4.sin_family = AF_INET; - sock->info.lsa->local.addr.in4.sin_addr.s_addr = - (sock->local_host ? getaddr (GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL, - sock->local_host, - 0, - NULL, - NULL) - : htonl (INADDR_ANY)); - sock->info.lsa->local.addr.in4.sin_port = htons (sock->local_port); - break; - case AF_INET6: - { - int status; - int err; - CLEAR(sock->info.lsa->local.addr.in6); - if (sock->local_host) - { - struct addrinfo *ai; - - status = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL, - sock->local_host, 0, NULL, AF_INET6, &ai); - if(status ==0) { - sock->info.lsa->local.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); - freeaddrinfo(ai); - } - } - else - { - sock->info.lsa->local.addr.in6.sin6_family = AF_INET6; - sock->info.lsa->local.addr.in6.sin6_addr = in6addr_any; - status = 0; - } - if (!status == 0) - { - msg (M_FATAL, "getaddr6() failed for local \"%s\": %s", - sock->local_host, - gai_strerror(err)); - } - sock->info.lsa->local.addr.in6.sin6_port = htons (sock->local_port); - } - break; - } + int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | + GETADDR_FATAL | GETADDR_PASSIVE; + int status; + + if(proto_is_dgram(sock->info.proto)) + flags |= GETADDR_DATAGRAM; + + /* will return AF_{INET|INET6}from local_host */ + status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, + NULL, af, &sock->info.lsa->bind_local); + if(status !=0) { + msg (M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", + sock->local_host, sock->local_port, + gai_strerror(status)); + } } - - /* bind to local address/port */ - if (sock->bind_local) - { + + gc_free (&gc); +} + +static void bind_local (struct link_socket *sock) +{ + /* bind to local address/port */ + if (sock->bind_local) + { #ifdef ENABLE_SOCKS - if (sock->socks_proxy && sock->info.proto == PROTO_UDPv4) - socket_bind (sock->ctrl_sd, &sock->info.lsa->local, "SOCKS"); - else + if (sock->socks_proxy && sock->info.proto == PROTO_UDP && sock->info.af == AF_INET) + socket_bind (sock->ctrl_sd, sock->info.lsa->bind_local, + sock->info.lsa->actual.ai_family, "SOCKS"); + else #endif - socket_bind (sock->sd, &sock->info.lsa->local, "TCP/UDP"); - } - gc_free (&gc); + socket_bind (sock->sd, sock->info.lsa->bind_local, + sock->info.lsa->actual.ai_family, "TCP/UDP"); + } } static void @@ -1209,34 +1160,22 @@ resolve_remote (struct link_socket *sock, volatile int *signal_received) { struct gc_arena gc = gc_new (); - int af; if (!sock->did_resolve_remote) { /* resolve remote address if undefined */ - if (!addr_defined (&sock->info.lsa->remote)) + if (!sock->info.lsa->remote_list) { - af = addr_guess_family(sock->info.proto, sock->remote_host); - switch(af) - { - case AF_INET: - sock->info.lsa->remote.addr.in4.sin_family = AF_INET; - sock->info.lsa->remote.addr.in4.sin_addr.s_addr = 0; - break; - case AF_INET6: - CLEAR(sock->info.lsa->remote.addr.in6); - sock->info.lsa->remote.addr.in6.sin6_family = AF_INET6; - sock->info.lsa->remote.addr.in6.sin6_addr = in6addr_any; - break; - } - if (sock->remote_host) { unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); int retry = 0; int status = -1; + + if (proto_is_dgram(sock->info.proto)) + flags |= GETADDR_DATAGRAM; - if (sock->connection_profiles_defined && sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) + if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) { if (phase == 2) flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); @@ -1272,12 +1211,11 @@ resolve_remote (struct link_socket *sock, } struct addrinfo* ai; - /* Temporary fix, this need to be changed for dual stack */ - status = openvpn_getaddrinfo(flags, sock->remote_host, retry, - signal_received, af, &ai); + status = openvpn_getaddrinfo (flags, sock->remote_host, sock->remote_port, + retry, signal_received, sock->info.af, &ai); if(status == 0) { - sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); - freeaddrinfo(ai); + sock->info.lsa->remote_list = ai; + sock->info.lsa->current_remote = ai; dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", flags, @@ -1298,15 +1236,6 @@ resolve_remote (struct link_socket *sock, goto done; } } - switch(af) - { - case AF_INET: - sock->info.lsa->remote.addr.in4.sin_port = htons (sock->remote_port); - break; - case AF_INET6: - sock->info.lsa->remote.addr.in6.sin6_port = htons (sock->remote_port); - break; - } } /* should we re-use previous active remote address? */ @@ -1319,8 +1248,12 @@ resolve_remote (struct link_socket *sock, } else { - CLEAR (sock->info.lsa->actual); - sock->info.lsa->actual.dest = sock->info.lsa->remote; + CLEAR (sock->info.lsa->actual); + if(sock->info.lsa->current_remote) + { + set_actual_address (&sock->info.lsa->actual, + sock->info.lsa->current_remote); + } } /* remember that we finished */ @@ -1331,6 +1264,8 @@ resolve_remote (struct link_socket *sock, gc_free (&gc); } + + struct link_socket * link_socket_new (void) { @@ -1344,15 +1279,36 @@ link_socket_new (void) return sock; } +void +create_new_socket (struct link_socket* sock, int mark) +{ + if (sock->bind_local) { + resolve_bind_local (sock, sock->info.af); + } + resolve_remote (sock, 1, NULL, NULL); + create_socket (sock); + + /* set socket buffers based on --sndbuf and --rcvbuf options */ + socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); + + /* set socket to --mark packets with given value */ + socket_set_mark (sock->sd, mark); + + if (sock->bind_local) + bind_local(sock); + +} + + /* bind socket if necessary */ void link_socket_init_phase1 (struct link_socket *sock, - const bool connection_profiles_defined, const char *local_host, - int local_port, + const char *local_port, const char *remote_host, - int remote_port, + const char *remote_port, int proto, + sa_family_t af, int mode, const struct link_socket *accept_from, #ifdef ENABLE_HTTP_PROXY @@ -1371,9 +1327,7 @@ link_socket_init_phase1 (struct link_socket *sock, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, - int connect_retry_seconds, int connect_timeout, - int connect_retry_max, int mtu_discover_type, int rcvbuf, int sndbuf, @@ -1382,8 +1336,6 @@ link_socket_init_phase1 (struct link_socket *sock, { ASSERT (sock); - sock->connection_profiles_defined = connection_profiles_defined; - sock->local_host = local_host; sock->local_port = local_port; sock->remote_host = remote_host; @@ -1400,9 +1352,7 @@ link_socket_init_phase1 (struct link_socket *sock, sock->bind_local = bind_local; sock->inetd = inetd; sock->resolve_retry_seconds = resolve_retry_seconds; - sock->connect_retry_seconds = connect_retry_seconds; sock->connect_timeout = connect_timeout; - sock->connect_retry_max = connect_retry_max; sock->mtu_discover_type = mtu_discover_type; #ifdef ENABLE_DEBUG @@ -1415,6 +1365,7 @@ link_socket_init_phase1 (struct link_socket *sock, sock->sockflags = sockflags; sock->info.proto = proto; + sock->info.af = af; sock->info.remote_float = remote_float; sock->info.lsa = lsa; sock->info.ipchange_command = ipchange_command; @@ -1424,20 +1375,18 @@ link_socket_init_phase1 (struct link_socket *sock, if (mode == LS_MODE_TCP_ACCEPT_FROM) { ASSERT (accept_from); - ASSERT (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv6_SERVER - ); + ASSERT (sock->info.proto == PROTO_TCP_SERVER); ASSERT (!sock->inetd); sock->sd = accept_from->sd; } - + if (false) ; #ifdef ENABLE_HTTP_PROXY /* are we running in HTTP proxy mode? */ else if (sock->http_proxy) { - ASSERT (sock->info.proto == PROTO_TCPv4_CLIENT); + ASSERT (sock->info.proto == PROTO_TCP_CLIENT && sock->info.af == AF_INET); ASSERT (!sock->inetd); /* the proxy server */ @@ -1453,7 +1402,7 @@ link_socket_init_phase1 (struct link_socket *sock, /* or in Socks proxy mode? */ else if (sock->socks_proxy) { - ASSERT (sock->info.proto == PROTO_TCPv4_CLIENT || sock->info.proto == PROTO_UDPv4); + ASSERT (sock->info.af == AF_INET); ASSERT (!sock->inetd); /* the proxy server */ @@ -1472,7 +1421,7 @@ link_socket_init_phase1 (struct link_socket *sock, } /* bind behavior for TCP server vs. client */ - if (sock->info.proto == PROTO_TCPv4_SERVER) + if (sock->info.proto == PROTO_TCP_SERVER && sock->info.af==AF_INET) { if (sock->mode == LS_MODE_TCP_ACCEPT_FROM) sock->bind_local = false; @@ -1483,248 +1432,59 @@ link_socket_init_phase1 (struct link_socket *sock, /* were we started by inetd or xinetd? */ if (sock->inetd) { - ASSERT (sock->info.proto != PROTO_TCPv4_CLIENT - && sock->info.proto != PROTO_TCPv6_CLIENT); + ASSERT (sock->info.proto != PROTO_TCP_CLIENT); ASSERT (socket_defined (inetd_socket_descriptor)); sock->sd = inetd_socket_descriptor; } else if (mode != LS_MODE_TCP_ACCEPT_FROM) { - create_socket (sock); - - /* set socket buffers based on --sndbuf and --rcvbuf options */ - socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); - - /* set socket to --mark packets with given value */ - socket_set_mark (sock->sd, mark); - - resolve_bind_local (sock); - resolve_remote (sock, 1, NULL, NULL); + create_new_socket (sock, mark); } } -/* finalize socket initialization */ -void -link_socket_init_phase2 (struct link_socket *sock, - const struct frame *frame, - volatile int *signal_received) +static +void phase2_inetd (struct link_socket* sock, const struct frame *frame, + const char *remote_dynamic, volatile int *signal_received) { - struct gc_arena gc = gc_new (); - const char *remote_dynamic = NULL; bool remote_changed = false; - int sig_save = 0; - ASSERT (sock); - - if (signal_received && *signal_received) - { - sig_save = *signal_received; - *signal_received = 0; - } - - /* initialize buffers */ - socket_frame_init (frame, sock); - - /* - * Pass a remote name to connect/accept so that - * they can test for dynamic IP address changes - * and throw a SIGUSR1 if appropriate. - */ - if (sock->resolve_retry_seconds) - remote_dynamic = sock->remote_host; - - /* were we started by inetd or xinetd? */ - if (sock->inetd) - { - if (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv6_SERVER) { - /* AF_INET as default (and fallback) for inetd */ - sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; + if (sock->info.proto == PROTO_TCP_SERVER) { + /* AF_INET as default (and fallback) for inetd */ + sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; #ifdef HAVE_GETSOCKNAME - { - /* inetd: hint family type for dest = local's */ - struct openvpn_sockaddr local_addr; - socklen_t addrlen = sizeof(local_addr); - if (getsockname (sock->sd, (struct sockaddr *)&local_addr, &addrlen) == 0) { - sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; - dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", - proto2ascii(sock->info.proto, false), local_addr.addr.sa.sa_family, - sock->sd); - } else - msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET", - proto2ascii(sock->info.proto, false), sock->sd); - } -#else - msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() " - "function, using AF_INET", - proto2ascii(sock->info.proto, false)); -#endif - sock->sd = - socket_listen_accept (sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - &remote_changed, - &sock->info.lsa->local, - false, - sock->inetd == INETD_NOWAIT, - signal_received); - } - ASSERT (!remote_changed); - if (*signal_received) - goto done; - } - else { - resolve_remote (sock, 2, &remote_dynamic, signal_received); - - if (*signal_received) - goto done; - - /* TCP client/server */ - if (sock->info.proto == PROTO_TCPv4_SERVER - ||sock->info.proto == PROTO_TCPv6_SERVER) - { - switch (sock->mode) - { - case LS_MODE_DEFAULT: - sock->sd = socket_listen_accept (sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - &remote_changed, - &sock->info.lsa->local, - true, - false, - signal_received); - break; - case LS_MODE_TCP_LISTEN: - socket_do_listen (sock->sd, - &sock->info.lsa->local, - true, - false); - break; - case LS_MODE_TCP_ACCEPT_FROM: - sock->sd = socket_do_accept (sock->sd, - &sock->info.lsa->actual, - false); - if (!socket_defined (sock->sd)) - { - *signal_received = SIGTERM; - goto done; - } - tcp_connection_established (&sock->info.lsa->actual); - break; - default: - ASSERT (0); - } - } - else if (sock->info.proto == PROTO_TCPv4_CLIENT - ||sock->info.proto == PROTO_TCPv6_CLIENT) - { - -#ifdef GENERAL_PROXY_SUPPORT - bool proxy_retry = false; -#else - const bool proxy_retry = false; -#endif - do { - socket_connect (&sock->sd, - &sock->info.lsa->local, - sock->bind_local, - &sock->info.lsa->actual.dest, - sock->connection_profiles_defined, - remote_dynamic, - &remote_changed, - sock->connect_retry_seconds, - sock->connect_timeout, - sock->connect_retry_max, - sock->sockflags, - signal_received); - - if (*signal_received) - goto done; - - if (false) - ; -#ifdef ENABLE_HTTP_PROXY - else if (sock->http_proxy) - { - proxy_retry = establish_http_proxy_passthru (sock->http_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - &sock->stream_buf.residual, - signal_received); - } -#endif -#ifdef ENABLE_SOCKS - else if (sock->socks_proxy) - { - establish_socks_proxy_passthru (sock->socks_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - signal_received); - } -#endif - if (proxy_retry) - { - openvpn_close_socket (sock->sd); - sock->sd = create_socket_tcp (AF_INET); - } - } while (proxy_retry); - } -#ifdef ENABLE_SOCKS - else if (sock->info.proto == PROTO_UDPv4 && sock->socks_proxy) - { - socket_connect (&sock->ctrl_sd, - &sock->info.lsa->local, - sock->bind_local, - &sock->info.lsa->actual.dest, - sock->connection_profiles_defined, - remote_dynamic, - &remote_changed, - sock->connect_retry_seconds, - sock->connect_timeout, - sock->connect_retry_max, - sock->sockflags, - signal_received); - - if (*signal_received) - goto done; - - establish_socks_proxy_udpassoc (sock->socks_proxy, - sock->ctrl_sd, - sock->sd, - &sock->socks_relay.dest, - signal_received); - - if (*signal_received) - goto done; - - sock->remote_host = sock->proxy_dest_host; - sock->remote_port = sock->proxy_dest_port; - sock->did_resolve_remote = false; - - addr_zero_host(&sock->info.lsa->actual.dest); - addr_zero_host(&sock->info.lsa->remote); - - resolve_remote (sock, 1, NULL, signal_received); - - if (*signal_received) - goto done; - } -#endif - - if (*signal_received) - goto done; - - if (remote_changed) - { - msg (M_INFO, "TCP/UDP: Dynamic remote address changed during TCP connection establishment"); - addr_copy_host(&sock->info.lsa->remote, &sock->info.lsa->actual.dest); - } + /* inetd: hint family type for dest = local's */ + struct openvpn_sockaddr local_addr; + socklen_t addrlen = sizeof(local_addr); + if (getsockname (sock->sd, &local_addr.addr.sa, &addrlen) == 0) { + sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; + dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", + proto2ascii(sock->info.proto, sock->info.af, false), local_addr.addr.sa.sa_family, + sock->sd); + } else + msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET", + proto2ascii(sock->info.proto, sock->info.af, false), sock->sd); } +#else + msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() " + "function, using AF_INET", + proto2ascii(sock->info.proto, false)); +#endif + sock->sd = + socket_listen_accept (sock->sd, + &sock->info.lsa->actual, + remote_dynamic, + sock->info.lsa->bind_local, + false, + sock->inetd == INETD_NOWAIT, + signal_received); + } + ASSERT (!remote_changed); +} +static void +phase2_set_socket_flags (struct link_socket* sock) +{ /* set misc socket parameters */ socket_set_flags (sock->sd, sock->sockflags); @@ -1747,35 +1507,245 @@ link_socket_init_phase2 (struct link_socket *sock, /* if the OS supports it, enable extended error passing on the socket */ set_sock_extended_error_passing (sock->sd); #endif +} + + +static void +linksock_print_addr (struct link_socket *sock) +{ + struct gc_arena gc = gc_new (); /* print local address */ { const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; - + if (sock->inetd) - msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, true)); + msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, sock->info.af, true)); + else if (sock->bind_local) + { + /* Socket is always bound on the first matching address */ + struct addrinfo *cur; + for (cur = sock->info.lsa->bind_local; cur; cur=cur->ai_next) + { + if(cur->ai_family == sock->info.lsa->actual.ai_family) + break; + } + ASSERT (cur); + msg (msglevel, "%s link local (bound): %s", + proto2ascii (sock->info.proto, sock->info.af, true), + print_sockaddr(cur->ai_addr,&gc)); + } else - msg (msglevel, "%s link local%s: %s", - proto2ascii (sock->info.proto, true), - (sock->bind_local ? " (bound)" : ""), - print_sockaddr_ex (&sock->info.lsa->local, ":", sock->bind_local ? PS_SHOW_PORT : 0, &gc)); - + msg (msglevel, "%s link local: (not bound)", + proto2ascii (sock->info.proto, sock->info.af, true)); + /* print active remote address */ msg (msglevel, "%s link remote: %s", - proto2ascii (sock->info.proto, true), - print_link_socket_actual_ex (&sock->info.lsa->actual, - ":", - PS_SHOW_PORT_IF_DEFINED, - &gc)); + proto2ascii (sock->info.proto, sock->info.af, true), + print_link_socket_actual_ex (&sock->info.lsa->actual, + ":", + PS_SHOW_PORT_IF_DEFINED, + &gc)); } + gc_free(&gc); +} + +static void +phase2_tcp_server (struct link_socket *sock, const char *remote_dynamic, + volatile int *signal_received) +{ + switch (sock->mode) + { + case LS_MODE_DEFAULT: + sock->sd = socket_listen_accept (sock->sd, + &sock->info.lsa->actual, + remote_dynamic, + sock->info.lsa->bind_local, + true, + false, + signal_received); + break; + case LS_MODE_TCP_LISTEN: + socket_do_listen (sock->sd, + sock->info.lsa->bind_local->ai_addr, + true, + false); + break; + case LS_MODE_TCP_ACCEPT_FROM: + sock->sd = socket_do_accept (sock->sd, + &sock->info.lsa->actual, + false); + if (!socket_defined (sock->sd)) + { + *signal_received = SIGTERM; + return; + } + tcp_connection_established (&sock->info.lsa->actual); + break; + default: + ASSERT (0); + } + +} + + +static void +phase2_tcp_client (struct link_socket *sock, struct signal_info *sig_info) +{ +#ifdef GENERAL_PROXY_SUPPORT + bool proxy_retry = false; +#else + const bool proxy_retry = false; +#endif + do { + socket_connect (&sock->sd, + sock->info.lsa, + sock->connect_timeout, + sig_info); + + if (sig_info->signal_received) + return; + + if (false) + ; +#ifdef ENABLE_HTTP_PROXY + else if (sock->http_proxy) + { + proxy_retry = establish_http_proxy_passthru (sock->http_proxy, + sock->sd, + sock->proxy_dest_host, + sock->proxy_dest_port, + &sock->stream_buf.residual, + &sig_info->signal_received); + } +#endif +#ifdef ENABLE_SOCKS + else if (sock->socks_proxy) + { + establish_socks_proxy_passthru (sock->socks_proxy, + sock->sd, + sock->proxy_dest_host, + sock->proxy_dest_port, + &sig_info->signal_received); + } +#endif + if (proxy_retry) + { + /* TODO (schwabe): This code assumes AF_INET for the proxy socket + * when retrying a connection */ + openvpn_close_socket (sock->sd); + sock->sd = create_socket_tcp (AF_INET); + } + } while (proxy_retry); + +} + +#ifdef ENABLE_SOCKS +static void +phase2_socks_client (struct link_socket *sock, struct signal_info *sig_info) +{ + socket_connect (&sock->ctrl_sd, + sock->info.lsa, + sock->connect_timeout, + sig_info); + + if (sig_info->signal_received) + return; + + establish_socks_proxy_udpassoc (sock->socks_proxy, + sock->ctrl_sd, + sock->sd, + &sock->socks_relay.dest, + &sig_info->signal_received); + + if (sig_info->signal_received) + return; + + sock->remote_host = sock->proxy_dest_host; + sock->remote_port = sock->proxy_dest_port; + sock->did_resolve_remote = false; + + addr_zero_host(&sock->info.lsa->actual.dest); + if (sock->info.lsa->remote_list) + freeaddrinfo(sock->info.lsa->remote_list); + + resolve_remote (sock, 1, NULL, &sig_info->signal_received); + +} +#endif +/* finalize socket initialization */ +void +link_socket_init_phase2 (struct link_socket *sock, + const struct frame *frame, + struct signal_info *sig_info) +{ + const char *remote_dynamic = NULL; + int sig_save = 0; + + ASSERT (sock); + + if (sig_info && sig_info->signal_received) + { + sig_save = sig_info->signal_received; + sig_info->signal_received = 0; + } + + /* initialize buffers */ + socket_frame_init (frame, sock); + + /* + * Pass a remote name to connect/accept so that + * they can test for dynamic IP address changes + * and throw a SIGUSR1 if appropriate. + */ + if (sock->resolve_retry_seconds) + remote_dynamic = sock->remote_host; + + /* were we started by inetd or xinetd? */ + if (sock->inetd) + { + phase2_inetd (sock, frame, remote_dynamic, &sig_info->signal_received); + if (sig_info && sig_info->signal_received) + goto done; + + } + else + { + resolve_remote (sock, 2, &remote_dynamic, &sig_info->signal_received); + + if (sig_info && sig_info->signal_received) + goto done; + + if (sock->info.proto == PROTO_TCP_SERVER) + { + phase2_tcp_server (sock, remote_dynamic, + &sig_info->signal_received); + } + else if (sock->info.proto == PROTO_TCP_CLIENT) + { + phase2_tcp_client (sock, sig_info); + + } +#ifdef ENABLE_SOCKS + else if (sock->info.proto == PROTO_UDP && sock->socks_proxy && sock->info.af == AF_INET) + { + phase2_socks_client (sock, sig_info); +#endif + } + if (sig_info && sig_info->signal_received) + goto done; + } + + phase2_set_socket_flags(sock); + linksock_print_addr(sock); + done: - if (sig_save && signal_received) + if (sig_save && sig_info) { - if (!*signal_received) - *signal_received = sig_save; + if (!sig_info->signal_received) + sig_info->signal_received = sig_save; } - gc_free (&gc); } void @@ -1843,17 +1813,14 @@ setenv_trusted (struct env_set *es, const struct link_socket_info *info) static void ipchange_fmt (const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc) { - const char *ip = print_sockaddr_ex (&info->lsa->actual.dest, NULL, 0, gc); - const char *port = print_sockaddr_ex (&info->lsa->actual.dest, NULL, PS_DONT_SHOW_ADDR|PS_SHOW_PORT, gc); + const char *host = print_sockaddr_ex (&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT , gc); if (include_cmd) - argv_printf (argv, "%sc %s %s", + argv_printf (argv, "%sc %s", info->ipchange_command, - ip, - port); + host); else - argv_printf (argv, "%s %s", - ip, - port); + argv_printf (argv, "%s", host); + } void @@ -1910,6 +1877,7 @@ link_socket_bad_incoming_addr (struct buffer *buf, const struct link_socket_actual *from_addr) { struct gc_arena gc = gc_new (); + struct addrinfo* ai; switch(from_addr->dest.addr.sa.sa_family) { @@ -1919,7 +1887,12 @@ link_socket_bad_incoming_addr (struct buffer *buf, "TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)", print_link_socket_actual (from_addr, &gc), (int)from_addr->dest.addr.sa.sa_family, - print_sockaddr (&info->lsa->remote, &gc)); + print_sockaddr_ex (info->lsa->remote_list->ai_addr,":" ,PS_SHOW_PORT, &gc)); + /* print additional remote addresses */ + for(ai=info->lsa->remote_list->ai_next;ai;ai=ai->ai_next) { + msg(D_LINK_ERRORS,"or from peer address: %s", + print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc)); + } break; } buf->len = 0; @@ -1944,14 +1917,17 @@ link_socket_current_remote (const struct link_socket_info *info) * Maybe in the future consider PF_INET6 endpoints also ... * by now just ignore it * + * For --remote entries with multiple addresses this + * only return the actual endpoint we have sucessfully connected to */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET) return IPV4_INVALID_ADDR; if (link_socket_actual_defined (&lsa->actual)) return ntohl (lsa->actual.dest.addr.in4.sin_addr.s_addr); - else if (addr_defined (&lsa->remote)) - return ntohl (lsa->remote.addr.in4.sin_addr.s_addr); + else if (lsa->current_remote) + return ntohl (((struct sockaddr_in*)lsa->current_remote->ai_addr) + ->sin_addr.s_addr); else return 0; } @@ -2018,7 +1994,7 @@ stream_buf_init (struct stream_buf *sb, sb->residual = alloc_buf (sb->maxlen); sb->error = false; #if PORT_SHARE - sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCPv4_SERVER)) + sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) ? PS_ENABLED : PS_DISABLED; #endif @@ -2167,67 +2143,58 @@ socket_listen_event_handle (struct link_socket *s) */ const char * -print_sockaddr (const struct openvpn_sockaddr *addr, struct gc_arena *gc) -{ - return print_sockaddr_ex (addr, ":", PS_SHOW_PORT, gc); -} - -const char * -print_sockaddr_ex (const struct openvpn_sockaddr *addr, - const char* separator, - const unsigned int flags, - struct gc_arena *gc) +print_sockaddr_ex (const struct sockaddr *sa, + const char* separator, + const unsigned int flags, + struct gc_arena *gc) { struct buffer out = alloc_buf_gc (128, gc); bool addr_is_defined; - addr_is_defined = addr_defined (addr); - if (!addr_is_defined) { - return "[undef]"; - } - switch(addr->addr.sa.sa_family) + char hostaddr[NI_MAXHOST] = ""; + char servname[NI_MAXSERV] = ""; + int status; + + socklen_t salen; + switch(sa->sa_family) { case AF_INET: - { - const int port= ntohs (addr->addr.in4.sin_port); - buf_puts (&out, "[AF_INET]"); - - if (!(flags & PS_DONT_SHOW_ADDR)) - buf_printf (&out, "%s", (addr_defined (addr) ? inet_ntoa (addr->addr.in4.sin_addr) : "[undef]")); - - if (((flags & PS_SHOW_PORT) || (addr_defined (addr) && (flags & PS_SHOW_PORT_IF_DEFINED))) - && port) - { - if (separator) - buf_printf (&out, "%s", separator); - - buf_printf (&out, "%d", port); - } - } + buf_puts (&out, "[AF_INET]"); + salen = sizeof (struct sockaddr_in); + addr_is_defined = ((struct sockaddr_in*) sa)->sin_addr.s_addr != 0; break; case AF_INET6: - { - const int port= ntohs (addr->addr.in6.sin6_port); - char buf[INET6_ADDRSTRLEN] = ""; - buf_puts (&out, "[AF_INET6]"); - if (addr_is_defined) - { - getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), - buf, sizeof (buf), NULL, 0, NI_NUMERICHOST); - buf_puts (&out, buf); - } - if (((flags & PS_SHOW_PORT) || (addr_is_defined && (flags & PS_SHOW_PORT_IF_DEFINED))) - && port) - { - if (separator) - buf_puts (&out, separator); - - buf_printf (&out, "%d", port); - } - } + buf_puts (&out, "[AF_INET6]"); + salen = sizeof (struct sockaddr_in6); + addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6*) sa)->sin6_addr); break; default: ASSERT(0); } + + status = getnameinfo(sa, salen, hostaddr, sizeof (hostaddr), + servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV); + + if(status!=0) { + buf_printf(&out,"[nameinfo() err: %s]",gai_strerror(status)); + return BSTR(&out); + } + + if (!(flags & PS_DONT_SHOW_ADDR)) + { + if (addr_is_defined) + buf_puts (&out, hostaddr); + else + buf_puts (&out, "[undef]"); + } + + if ((flags & PS_SHOW_PORT) || (flags & PS_SHOW_PORT_IF_DEFINED)) + { + if (separator) + buf_puts (&out, separator); + + buf_puts (&out, servname); + } + return BSTR (&out); } @@ -2251,7 +2218,7 @@ print_link_socket_actual_ex (const struct link_socket_actual *act, { char ifname[IF_NAMESIZE] = "[undef]"; struct buffer out = alloc_buf_gc (128, gc); - buf_printf (&out, "%s", print_sockaddr_ex (&act->dest, separator, flags, gc)); + buf_printf (&out, "%s", print_sockaddr_ex (&act->dest.addr.sa, separator, flags, gc)); #if ENABLE_IP_PKTINFO if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act)) { @@ -2272,7 +2239,7 @@ print_link_socket_actual_ex (const struct link_socket_actual *act, #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif buf_printf (&out, " (via %s%%%s)", - print_sockaddr_ex (&sa, separator, 0, gc), + print_sockaddr_ex (&sa.addr.sa, separator, 0, gc), ifname); } break; @@ -2434,22 +2401,23 @@ setenv_link_socket_actual (struct env_set *es, struct proto_names { const char *short_form; const char *display_form; - bool is_dgram; - bool is_net; - unsigned short proto_af; + sa_family_t proto_af; + int proto; }; /* Indexed by PROTO_x */ -static const struct proto_names proto_names[PROTO_N] = { - {"proto-uninitialized", "proto-NONE",0,0, AF_UNSPEC}, - {"udp", "UDPv4",1,1, AF_INET}, - {"tcp-server", "TCPv4_SERVER",0,1, AF_INET}, - {"tcp-client", "TCPv4_CLIENT",0,1, AF_INET}, - {"tcp", "TCPv4",0,1, AF_INET}, - {"udp6" ,"UDPv6",1,1, AF_INET6}, - {"tcp6-server","TCPv6_SERVER",0,1, AF_INET6}, - {"tcp6-client","TCPv6_CLIENT",0,1, AF_INET6}, - {"tcp6" ,"TCPv6",0,1, AF_INET6}, +static const struct proto_names proto_names[] = { + {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, + {"udp", "UDP", AF_UNSPEC, PROTO_UDP}, + {"udp4", "UDPv4", AF_INET, PROTO_UDP}, + {"tcp-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, + {"tcp-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, + {"tcp", "TCP", AF_UNSPEC, PROTO_TCP}, + {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, + {"udp6" ,"UDPv6", AF_INET6, PROTO_UDP}, + {"tcp6-server","TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER}, + {"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, + {"tcp6" ,"TCPv6", AF_INET6, PROTO_TCP}, }; bool @@ -2457,59 +2425,66 @@ proto_is_net(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return proto_names[proto].is_net; + return proto != PROTO_NONE; } bool proto_is_dgram(int proto) { - if (proto < 0 || proto >= PROTO_N) - ASSERT(0); - return proto_names[proto].is_dgram; + return proto_is_udp(proto); } + bool proto_is_udp(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return proto_names[proto].is_dgram&&proto_names[proto].is_net; + return proto == PROTO_UDP; } + bool proto_is_tcp(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return (!proto_names[proto].is_dgram)&&proto_names[proto].is_net; -} - -unsigned short -proto_sa_family(int proto) -{ - if (proto < 0 || proto >= PROTO_N) - ASSERT(0); - return proto_names[proto].proto_af; + return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER || proto == PROTO_TCP_CLIENT; } int ascii2proto (const char* proto_name) { int i; - ASSERT (PROTO_N == SIZE (proto_names)); - for (i = 0; i < PROTO_N; ++i) + for (i = 0; i < SIZE (proto_names); ++i) if (!strcmp (proto_name, proto_names[i].short_form)) - return i; + return proto_names[i].proto; return -1; } +sa_family_t +ascii2af (const char* proto_name) +{ + int i; + for (i = 0; i < SIZE (proto_names); ++i) + if (!strcmp (proto_name, proto_names[i].short_form)) + return proto_names[i].proto_af; + return 0; +} + const char * -proto2ascii (int proto, bool display_form) +proto2ascii (int proto, sa_family_t af, bool display_form) { - ASSERT (PROTO_N == SIZE (proto_names)); - if (proto < 0 || proto >= PROTO_N) - return "[unknown protocol]"; - else if (display_form) - return proto_names[proto].display_form; - else - return proto_names[proto].short_form; + unsigned int i; + for (i = 0; i < SIZE (proto_names); ++i) + { + if(proto_names[i].proto_af == af && proto_names[i].proto == proto) + { + if(display_form) + return proto_names[i].display_form; + else + return proto_names[i].short_form; + } + } + + return "[unknown protocol]"; } const char * @@ -2518,23 +2493,22 @@ proto2ascii_all (struct gc_arena *gc) struct buffer out = alloc_buf_gc (256, gc); int i; - ASSERT (PROTO_N == SIZE (proto_names)); - for (i = 0; i < PROTO_N; ++i) + for (i = 0; i < SIZE (proto_names); ++i) { if (i) buf_printf(&out, " "); - buf_printf(&out, "[%s]", proto2ascii(i, false)); + buf_printf(&out, "[%s]", proto_names[i].short_form); } return BSTR (&out); } int -addr_guess_family(int proto, const char *name) +addr_guess_family(sa_family_t af, const char *name) { unsigned short ret; - if (proto) + if (af) { - return proto_sa_family(proto); /* already stamped */ + return af; /* already stamped */ } else { @@ -2570,6 +2544,10 @@ addr_family_name (int af) * * This is used for options compatibility * checking. + * + * IPv6 and IPv4 protocols are comptabile but OpenVPN + * has always sent UDPv4, TCPv4 over the wire. Keep these + * strings for backward compatbility */ int proto_remote (int proto, bool remote) @@ -2579,10 +2557,8 @@ proto_remote (int proto, bool remote) { switch (proto) { - case PROTO_TCPv4_SERVER: return PROTO_TCPv4_CLIENT; - case PROTO_TCPv4_CLIENT: return PROTO_TCPv4_SERVER; - case PROTO_TCPv6_SERVER: return PROTO_TCPv6_CLIENT; - case PROTO_TCPv6_CLIENT: return PROTO_TCPv6_SERVER; + case PROTO_TCP_SERVER: return PROTO_TCP_CLIENT; + case PROTO_TCP_CLIENT: return PROTO_TCP_SERVER; } } return proto; @@ -2733,7 +2709,7 @@ link_socket_read_udp_posix (struct link_socket *sock, struct link_socket_actual *from) { socklen_t fromlen = sizeof (from->dest.addr); - socklen_t expectedlen = af_addr_size(proto_sa_family(sock->info.proto)); + socklen_t expectedlen = af_addr_size(sock->info.af); addr_zero_host(&from->dest); ASSERT (buf_safe (buf, maxsize)); #if ENABLE_IP_PKTINFO @@ -2774,7 +2750,7 @@ link_socket_write_tcp (struct link_socket *sock, #if ENABLE_IP_PKTINFO -int +size_t link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -2787,7 +2763,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, iov.iov_len = BLEN (buf); mesg.msg_iov = &iov; mesg.msg_iovlen = 1; - switch (sock->info.lsa->remote.addr.sa.sa_family) + switch (to->ai_family) { case AF_INET: { diff --git a/openvpn/src/openvpn/socket.h b/openvpn/src/openvpn/socket.h index 44f1098b..ae6cb9bc 100644 --- a/openvpn/src/openvpn/socket.h +++ b/openvpn/src/openvpn/socket.h @@ -39,7 +39,7 @@ /* * OpenVPN's default port number as assigned by IANA. */ -#define OPENVPN_PORT 1194 +#define OPENVPN_PORT "1194" /* * Maximum size passed passed to setsockopt SNDBUF/RCVBUF @@ -81,6 +81,11 @@ struct openvpn_sockaddr struct link_socket_actual { /*int dummy;*/ /* add offset to force a bug if dest not explicitly dereferenced */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + + struct openvpn_sockaddr dest; #if ENABLE_IP_PKTINFO union { @@ -97,8 +102,10 @@ struct link_socket_actual /* IP addresses which are persistant across SIGUSR1s */ struct link_socket_addr { - struct openvpn_sockaddr local; - struct openvpn_sockaddr remote; /* initial remote */ + struct addrinfo* bind_local; + struct addrinfo* remote_list; /* complete remote list */ + struct addrinfo* current_remote; /* remote used in the + current connection attempt */ struct link_socket_actual actual; /* reply to this address */ }; @@ -110,6 +117,7 @@ struct link_socket_info const struct plugin_list *plugins; bool remote_float; int proto; /* Protocol (PROTO_x defined below) */ + sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ int mtu_changed; /* Set to true when mtu value is changed */ }; @@ -175,13 +183,10 @@ struct link_socket /* used for long-term queueing of pre-accepted socket listen */ bool listen_persistent_queued; - /* Does config file contain any ... blocks? */ - bool connection_profiles_defined; - const char *remote_host; - int remote_port; + const char *remote_port; const char *local_host; - int local_port; + const char *local_port; bool bind_local; # define INETD_NONE 0 @@ -195,9 +200,7 @@ struct link_socket int mode; int resolve_retry_seconds; - int connect_retry_seconds; int connect_timeout; - int connect_retry_max; int mtu_discover_type; struct socket_buffer_size socket_buffer_sizes; @@ -232,7 +235,7 @@ struct link_socket #if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_SOCKS) /* The OpenVPN server we will use the proxy to connect to */ const char *proxy_dest_host; - int proxy_dest_port; + const char *proxy_dest_port; #endif #if PASSTOS_CAPABILITY @@ -279,11 +282,12 @@ int socket_finalize ( struct link_socket *link_socket_new (void); void socket_bind (socket_descriptor_t sd, - struct openvpn_sockaddr *local, + struct addrinfo *local, + int af_family, const char *prefix); int openvpn_connect (socket_descriptor_t sd, - struct openvpn_sockaddr *remote, + const struct sockaddr *remote, int connect_timeout, volatile int *signal_received); @@ -293,12 +297,12 @@ int openvpn_connect (socket_descriptor_t sd, void link_socket_init_phase1 (struct link_socket *sock, - const bool connection_profiles_defined, const char *local_host, - int local_port, + const char *local_port, const char *remote_host, - int remote_port, + const char *remote_port, int proto, + sa_family_t af, int mode, const struct link_socket *accept_from, #ifdef ENABLE_HTTP_PROXY @@ -317,9 +321,7 @@ link_socket_init_phase1 (struct link_socket *sock, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, - int connect_retry_seconds, int connect_timeout, - int connect_retry_max, int mtu_discover_type, int rcvbuf, int sndbuf, @@ -328,7 +330,7 @@ link_socket_init_phase1 (struct link_socket *sock, void link_socket_init_phase2 (struct link_socket *sock, const struct frame *frame, - volatile int *signal_received); + struct signal_info *sig_info); void socket_adjust_frame_parameters (struct frame *frame, int proto); @@ -343,14 +345,35 @@ void sd_close (socket_descriptor_t *sd); #define PS_SHOW_PKTINFO (1<<2) #define PS_DONT_SHOW_ADDR (1<<3) -const char *print_sockaddr_ex (const struct openvpn_sockaddr *addr, +const char *print_sockaddr_ex (const struct sockaddr *addr, const char* separator, const unsigned int flags, struct gc_arena *gc); +static inline +const char *print_openvpn_sockaddr_ex (const struct openvpn_sockaddr *addr, + const char* separator, + const unsigned int flags, + struct gc_arena *gc) +{ + return print_sockaddr_ex(&addr->addr.sa, separator, flags, gc); +} + +static inline +const char *print_openvpn_sockaddr (const struct openvpn_sockaddr *addr, + struct gc_arena *gc) +{ + return print_sockaddr_ex (&addr->addr.sa, ":", PS_SHOW_PORT, gc); +} + +static inline +const char *print_sockaddr (const struct sockaddr *addr, + struct gc_arena *gc) +{ + return print_sockaddr_ex (addr, ":", PS_SHOW_PORT, gc); +} + -const char *print_sockaddr (const struct openvpn_sockaddr *addr, - struct gc_arena *gc); const char *print_link_socket_actual_ex (const struct link_socket_actual *act, const char* separator, @@ -402,6 +425,9 @@ void link_socket_bad_incoming_addr (struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr); +void set_actual_address (struct link_socket_actual* actual, + struct addrinfo* ai); + void link_socket_bad_outgoing_addr (void); void setenv_trusted (struct env_set *es, const struct link_socket_info *info); @@ -477,11 +503,8 @@ bool unix_socket_get_peer_uid_gid (const socket_descriptor_t sd, int *uid, int * #define GETADDR_TRY_ONCE (1<<7) #define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8) #define GETADDR_RANDOMIZE (1<<9) - -/* [ab]use flags bits to get socktype info downstream */ -/* TODO(jjo): resolve tradeoff between hackiness|args-overhead */ -#define GETADDR_DGRAM (1<<10) -#define dnsflags_to_socktype(flags) ((flags & GETADDR_DGRAM) ? SOCK_DGRAM : SOCK_STREAM) +#define GETADDR_PASSIVE (1<<10) +#define GETADDR_DATAGRAM (1<<11) in_addr_t getaddr (unsigned int flags, const char *hostname, @@ -491,6 +514,7 @@ in_addr_t getaddr (unsigned int flags, int openvpn_getaddrinfo (unsigned int flags, const char *hostname, + const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, @@ -506,19 +530,16 @@ int openvpn_getaddrinfo (unsigned int flags, */ enum proto_num { PROTO_NONE, /* catch for uninitialized */ - PROTO_UDPv4, - PROTO_TCPv4_SERVER, - PROTO_TCPv4_CLIENT, - PROTO_TCPv4, - PROTO_UDPv6, - PROTO_TCPv6_SERVER, - PROTO_TCPv6_CLIENT, - PROTO_TCPv6, + PROTO_UDP, + PROTO_TCP, + PROTO_TCP_SERVER, + PROTO_TCP_CLIENT, PROTO_N }; int ascii2proto (const char* proto_name); -const char *proto2ascii (int proto, bool display_form); +sa_family_t ascii2af (const char* proto_name); +const char *proto2ascii (int proto, sa_family_t af, bool display_form); const char *proto2ascii_all (struct gc_arena *gc); int proto_remote (int proto, bool remote); const char *addr_family_name(int af); @@ -544,12 +565,6 @@ datagram_overhead (int proto) * Misc inline functions */ -static inline bool -legal_ipv4_port (int port) -{ - return port > 0 && port < 65536; -} - static inline bool link_socket_proto_connection_oriented (int proto) { @@ -604,13 +619,35 @@ link_socket_actual_defined (const struct link_socket_actual *act) static inline bool addr_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch(a1->addr.sa.sa_family) { + switch(a1->addr.sa.sa_family) { + case AF_INET: + return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; + case AF_INET6: + return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr); + } + ASSERT(0); + return false; +} + +static inline bool +addrlist_match (const struct openvpn_sockaddr *a1, const struct addrinfo *addrlist) +{ + const struct addrinfo *curele; + for (curele = addrlist; curele; curele=curele->ai_next) { + + switch(a1->addr.sa.sa_family) { case AF_INET: - return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; + if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr) + return true; + break; case AF_INET6: - return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr); + if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr)) + return true; + break; + default: + ASSERT(0); + } } - ASSERT(0); return false; } @@ -627,6 +664,34 @@ addr_host (const struct openvpn_sockaddr *addr) return ntohl (addr->addr.in4.sin_addr.s_addr); } + +static inline bool +addrlist_port_match (const struct openvpn_sockaddr *a1, const struct addrinfo *a2) +{ + const struct addrinfo *curele; + for(curele=a2;curele;curele = curele->ai_next) { + switch(a1->addr.sa.sa_family) { + case AF_INET: + if (curele->ai_family == AF_INET + && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr + && a1->addr.in4.sin_port == ((struct sockaddr_in*)curele->ai_addr)->sin_port) + return true; + break; + case AF_INET6: + if (curele->ai_family == AF_INET6 + && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr) + && a1->addr.in6.sin6_port == ((struct sockaddr_in6*) curele->ai_addr)->sin6_port) + return true; + break; + default: + ASSERT(0); + } + } + return false; +} + + + static inline bool addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { @@ -644,14 +709,25 @@ addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockadd static inline bool addr_match_proto (const struct openvpn_sockaddr *a1, - const struct openvpn_sockaddr *a2, - const int proto) + const struct openvpn_sockaddr *a2, + const int proto) { - return link_socket_proto_connection_oriented (proto) + return link_socket_proto_connection_oriented (proto) ? addr_match (a1, a2) : addr_port_match (a1, a2); } + +static inline bool +addrlist_match_proto (const struct openvpn_sockaddr *a1, + struct addrinfo *addr_list, + const int proto) +{ + return link_socket_proto_connection_oriented (proto) + ? addrlist_match (a1, addr_list) + : addrlist_port_match (a1, addr_list); +} + static inline void addr_zero_host(struct openvpn_sockaddr *addr) { @@ -671,28 +747,15 @@ addr_copy_sa(struct openvpn_sockaddr *dst, const struct openvpn_sockaddr *src) dst->addr = src->addr; } -static inline void -addr_copy_host(struct openvpn_sockaddr *dst, const struct openvpn_sockaddr *src) -{ - switch(src->addr.sa.sa_family) { - case AF_INET: - dst->addr.in4.sin_addr.s_addr = src->addr.in4.sin_addr.s_addr; - break; - case AF_INET6: - dst->addr.in6.sin6_addr = src->addr.in6.sin6_addr; - break; - } -} - static inline bool addr_inet4or6(struct sockaddr *addr) { return addr->sa_family == AF_INET || addr->sa_family == AF_INET6; } -int addr_guess_family(int proto, const char *name); +int addr_guess_family(sa_family_t af,const char *name); static inline int -af_addr_size(unsigned short af) +af_addr_size(sa_family_t af) { switch(af) { case AF_INET: return sizeof (struct sockaddr_in); @@ -768,9 +831,9 @@ link_socket_verify_incoming_addr (struct buffer *buf, case AF_INET: if (!link_socket_actual_defined (from_addr)) return false; - if (info->remote_float || !addr_defined (&info->lsa->remote)) + if (info->remote_float || !info->lsa->remote_list) return true; - if (addr_match_proto (&from_addr->dest, &info->lsa->remote, info->proto)) + if (addrlist_match_proto (&from_addr->dest, info->lsa->remote_list, info->proto)) return true; } } @@ -812,8 +875,8 @@ link_socket_set_outgoing_addr (const struct buffer *buf, || !addr_match_proto (&act->dest, &lsa->actual.dest, info->proto)) /* address undef or address == remote or --float */ && (info->remote_float - || !addr_defined (&lsa->remote) - || addr_match_proto (&act->dest, &lsa->remote, info->proto)) + || !lsa->remote_list) + || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto) ) { link_socket_connection_initiated (buf, info, act, common_name, es); @@ -937,13 +1000,13 @@ link_socket_write_win32 (struct link_socket *sock, #else -static inline int +static inline size_t link_socket_write_udp_posix (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #if ENABLE_IP_PKTINFO - int link_socket_write_udp_posix_sendmsg (struct link_socket *sock, + size_t link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); @@ -957,7 +1020,7 @@ link_socket_write_udp_posix (struct link_socket *sock, (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); } -static inline int +static inline size_t link_socket_write_tcp_posix (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -967,7 +1030,7 @@ link_socket_write_tcp_posix (struct link_socket *sock, #endif -static inline int +static inline size_t link_socket_write_udp (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) diff --git a/openvpn/src/openvpn/socks.c b/openvpn/src/openvpn/socks.c index 235982e4..804c9836 100644 --- a/openvpn/src/openvpn/socks.c +++ b/openvpn/src/openvpn/socks.c @@ -55,13 +55,13 @@ void socks_adjust_frame_parameters (struct frame *frame, int proto) { - if (proto == PROTO_UDPv4) + if (proto == PROTO_UDP) frame_add_to_extra_link (frame, 10); } struct socks_proxy_info * socks_proxy_new (const char *server, - int port, + const char *port, const char *authfile, bool retry) { @@ -70,7 +70,7 @@ socks_proxy_new (const char *server, ALLOC_OBJ_CLEAR (p, struct socks_proxy_info); ASSERT (server); - ASSERT (legal_ipv4_port (port)); + ASSERT (port); strncpynt (p->server, server, sizeof (p->server)); p->port = port; @@ -389,11 +389,27 @@ recv_socks_reply (socket_descriptor_t sd, return true; } +static int +port_from_servname(const char* servname) +{ + int port =0; + port = atoi(servname); + if(port >0 && port < 65536) + return port; + + struct servent* service; + service = getservbyname(servname, NULL); + if(service) + return service->s_port; + + return 0; +} + void establish_socks_proxy_passthru (struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *servname, /* openvpn server port */ volatile int *signal_received) { char buf[128]; @@ -414,6 +430,13 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, buf[4] = (char) len; memcpy(buf + 5, host, len); + int port = port_from_servname (servname); + if (port ==0) + { + msg (D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname); + goto error; + } + buf[5 + len] = (char) (port >> 8); buf[5 + len + 1] = (char) (port & 0xff); @@ -425,6 +448,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, goto error; } } + /* receive reply from Socks proxy and discard */ if (!recv_socks_reply (sd, NULL, signal_received)) diff --git a/openvpn/src/openvpn/socks.h b/openvpn/src/openvpn/socks.h index b55ff6fb..30b957d7 100644 --- a/openvpn/src/openvpn/socks.h +++ b/openvpn/src/openvpn/socks.h @@ -42,14 +42,14 @@ struct socks_proxy_info { bool retry; char server[128]; - int port; + const char *port; char authfile[256]; }; void socks_adjust_frame_parameters (struct frame *frame, int proto); struct socks_proxy_info *socks_proxy_new (const char *server, - int port, + const char *port, const char *authfile, bool retry); @@ -58,7 +58,7 @@ void socks_proxy_close (struct socks_proxy_info *sp); void establish_socks_proxy_passthru (struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *servname, /* openvpn server port */ volatile int *signal_received); void establish_socks_proxy_udpassoc (struct socks_proxy_info *p, diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c index 6995958b..12318b33 100644 --- a/openvpn/src/openvpn/ssl_polarssl.c +++ b/openvpn/src/openvpn/ssl_polarssl.c @@ -338,7 +338,7 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline) { - if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline))); + if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline))) msg (M_FATAL, "Cannot load inline CA certificates"); } else diff --git a/openvpn/src/openvpn/tun.c b/openvpn/src/openvpn/tun.c index 1b2e5822..a0754427 100644 --- a/openvpn/src/openvpn/tun.c +++ b/openvpn/src/openvpn/tun.c @@ -413,8 +413,8 @@ init_tun (const char *dev, /* --dev option */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */ int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */ - in_addr_t local_public, - in_addr_t remote_public, + struct addrinfo *local_public, + struct addrinfo *remote_public, const bool strict_warn, struct env_set *es) { @@ -468,24 +468,31 @@ init_tun (const char *dev, /* --dev option */ */ if (strict_warn) { + struct addrinfo *curele; ifconfig_sanity_check (tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology); /* * If local_public or remote_public addresses are defined, * make sure they do not clash with our virtual subnet. */ - - check_addr_clash ("local", + + for(curele=remote_public;curele;curele=curele->ai_next) { + if(curele->ai_family == AF_INET) + check_addr_clash ("local", tt->type, - local_public, + ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr, tt->local, tt->remote_netmask); + } - check_addr_clash ("remote", - tt->type, - remote_public, - tt->local, - tt->remote_netmask); + for(curele=remote_public;curele;curele=curele->ai_next) { + if(curele->ai_family == AF_INET) + check_addr_clash ("remote", + tt->type, + ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr, + tt->local, + tt->remote_netmask); + } if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) check_subnet_conflict (tt->local, tt->remote_netmask, "TUN/TAP adapter"); @@ -1405,7 +1412,7 @@ close_tun_generic (struct tuntap *tt) if (tt->fd >= 0) close (tt->fd); if (tt->actual_name) - free (tt->actual_name); + free (tt->actual_name); clear_tuntap (tt); } @@ -1439,8 +1446,8 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu msg (M_ERR, "ERROR: Cannot open TUN"); } /* Set the actual name to a dummy name to enable scripts */ - tt->actual_name = (char *) malloc(32); - strncpy(tt->actual_name, "vpnservice-tun",32); + tt->actual_name = (char *) malloc(32); + strncpy(tt->actual_name, "vpnservice-tun",32); gc_free (&gc); } diff --git a/openvpn/src/openvpn/tun.h b/openvpn/src/openvpn/tun.h index c31ac001..e7d941ab 100644 --- a/openvpn/src/openvpn/tun.h +++ b/openvpn/src/openvpn/tun.h @@ -231,8 +231,8 @@ struct tuntap *init_tun (const char *dev, /* --dev option */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */ int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */ const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */ - in_addr_t local_public, - in_addr_t remote_public, + struct addrinfo *local_public, + struct addrinfo *remote_public, const bool strict_warn, struct env_set *es); diff --git a/openvpn/src/openvpn/win32.c b/openvpn/src/openvpn/win32.c index d00088eb..2db96a8d 100644 --- a/openvpn/src/openvpn/win32.c +++ b/openvpn/src/openvpn/win32.c @@ -82,51 +82,6 @@ struct semaphore netcmd_semaphore; /* GLOBAL */ */ static char *win_sys_path = NULL; /* GLOBAL */ -/* - * Configure PATH. On Windows, sometimes PATH is not set correctly - * by default. - */ -static void -configure_win_path (void) -{ - static bool done = false; /* GLOBAL */ - if (!done) - { - FILE *fp; - fp = fopen ("c:\\windows\\system32\\route.exe", "rb"); - if (fp) - { - const int bufsiz = 4096; - struct gc_arena gc = gc_new (); - struct buffer oldpath = alloc_buf_gc (bufsiz, &gc); - struct buffer newpath = alloc_buf_gc (bufsiz, &gc); - const char* delim = ";"; - DWORD status; - fclose (fp); - status = GetEnvironmentVariable ("PATH", BPTR(&oldpath), (DWORD)BCAP(&oldpath)); -#if 0 - status = 0; -#endif - if (!status) - { - *BPTR(&oldpath) = '\0'; - delim = ""; - } - buf_printf (&newpath, "C:\\WINDOWS\\System32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem%s%s", - delim, - BSTR(&oldpath)); - SetEnvironmentVariable ("PATH", BSTR(&newpath)); -#if 0 - status = GetEnvironmentVariable ("PATH", BPTR(&oldpath), (DWORD)BCAP(&oldpath)); - if (status > 0) - printf ("PATH: %s\n", BSTR(&oldpath)); -#endif - gc_free (&gc); - done = true; - } - } -} - void init_win32 (void) { @@ -907,53 +862,41 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i { if (openvpn_execve_allowed (flags)) { - if (script_method == SM_EXECVE) - { - struct gc_arena gc = gc_new (); - STARTUPINFOW start_info; - PROCESS_INFORMATION proc_info; - - char *env = env_block (es); - WCHAR *cl = wide_cmd_line (a, &gc); - WCHAR *cmd = wide_string (a->argv[0], &gc); - - CLEAR (start_info); - CLEAR (proc_info); - - /* fill in STARTUPINFO struct */ - GetStartupInfoW(&start_info); - start_info.cb = sizeof(start_info); - start_info.dwFlags = STARTF_USESHOWWINDOW; - start_info.wShowWindow = SW_HIDE; - - if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info)) - { - DWORD exit_status = 0; - CloseHandle (proc_info.hThread); - WaitForSingleObject (proc_info.hProcess, INFINITE); - if (GetExitCodeProcess (proc_info.hProcess, &exit_status)) - ret = (int)exit_status; - else - msg (M_WARN|M_ERRNO, "openvpn_execve: GetExitCodeProcess %S failed", cmd); - CloseHandle (proc_info.hProcess); - } - else - { - msg (M_WARN|M_ERRNO, "openvpn_execve: CreateProcess %S failed", cmd); - } - free (env); - gc_free (&gc); - } - else if (script_method == SM_SYSTEM) - { - configure_win_path (); - ret = openvpn_system (argv_system_str (a), es, flags); - } - else - { - ASSERT (0); - } - } + struct gc_arena gc = gc_new (); + STARTUPINFOW start_info; + PROCESS_INFORMATION proc_info; + + char *env = env_block (es); + WCHAR *cl = wide_cmd_line (a, &gc); + WCHAR *cmd = wide_string (a->argv[0], &gc); + + CLEAR (start_info); + CLEAR (proc_info); + + /* fill in STARTUPINFO struct */ + GetStartupInfoW(&start_info); + start_info.cb = sizeof(start_info); + start_info.dwFlags = STARTF_USESHOWWINDOW; + start_info.wShowWindow = SW_HIDE; + + if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info)) + { + DWORD exit_status = 0; + CloseHandle (proc_info.hThread); + WaitForSingleObject (proc_info.hProcess, INFINITE); + if (GetExitCodeProcess (proc_info.hProcess, &exit_status)) + ret = (int)exit_status; + else + msg (M_WARN|M_ERRNO, "openvpn_execve: GetExitCodeProcess %S failed", cmd); + CloseHandle (proc_info.hProcess); + } + else + { + msg (M_WARN|M_ERRNO, "openvpn_execve: CreateProcess %S failed", cmd); + } + free (env); + gc_free (&gc); + } else if (!exec_warn && (script_security < SSEC_SCRIPTS)) { msg (M_WARN, SCRIPT_SECURITY_WARNING); diff --git a/openvpn/version.m4 b/openvpn/version.m4 index 161462e5..1ea1c32f 100644 --- a/openvpn/version.m4 +++ b/openvpn/version.m4 @@ -1,7 +1,7 @@ dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3_beta1]) +define([PRODUCT_VERSION], [2.3_master]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) define([PRODUCT_VERSION_RESOURCE], [2,3,0,0]) dnl define the TAP version -- cgit v1.2.3 From 7411616612c3fdc34dbc77e00b727e25de02cfd3 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 14 Dec 2012 13:32:06 +0100 Subject: proto_remote fix --- openvpn/src/openvpn/options.c | 2 +- openvpn/src/openvpn/socket.c | 20 ++++++++++---------- openvpn/src/openvpn/socket.h | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index dabc7577..158e155f 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -2889,7 +2889,7 @@ options_string (const struct options *o, buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type)); buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame)); buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame)); - buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote),o->ce.af, true)); + buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote)); if (o->tun_ipv6) buf_printf (&out, ",tun-ipv6"); diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index c861fdd2..2f929ef6 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -2549,19 +2549,19 @@ addr_family_name (int af) * has always sent UDPv4, TCPv4 over the wire. Keep these * strings for backward compatbility */ -int +const char* proto_remote (int proto, bool remote) { ASSERT (proto >= 0 && proto < PROTO_N); - if (remote) - { - switch (proto) - { - case PROTO_TCP_SERVER: return PROTO_TCP_CLIENT; - case PROTO_TCP_CLIENT: return PROTO_TCP_SERVER; - } - } - return proto; + if (proto == PROTO_UDP) + return "UDPv4"; + + if ( (remote && proto == PROTO_TCP_CLIENT) || proto == PROTO_TCP_SERVER) + return "TCPv4_SERVER"; + if ( (remote && proto == PROTO_TCP_SERVER) || proto == PROTO_TCP_CLIENT) + return "TCPv4_CLIENT"; + + ASSERT (0); } /* diff --git a/openvpn/src/openvpn/socket.h b/openvpn/src/openvpn/socket.h index ae6cb9bc..33a59f0f 100644 --- a/openvpn/src/openvpn/socket.h +++ b/openvpn/src/openvpn/socket.h @@ -541,7 +541,7 @@ int ascii2proto (const char* proto_name); sa_family_t ascii2af (const char* proto_name); const char *proto2ascii (int proto, sa_family_t af, bool display_form); const char *proto2ascii_all (struct gc_arena *gc); -int proto_remote (int proto, bool remote); +const char *proto_remote (int proto, bool remote); const char *addr_family_name(int af); /* -- cgit v1.2.3 From 66d5f00763b30d84e12e3fc949d033a18e93f625 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 20:35:23 +0100 Subject: Add spanish files from crowding --- fetchtranslations.sh | 2 +- res/values-es/arrays.xml | 53 +++--- res/values-es/strings.xml | 399 +++++++++++++++++++++++----------------------- res/values-he/strings.xml | 26 +++ 4 files changed, 250 insertions(+), 230 deletions(-) mode change 100644 => 100755 res/values-es/arrays.xml mode change 100644 => 100755 res/values-es/strings.xml diff --git a/fetchtranslations.sh b/fetchtranslations.sh index baa393fe..ae8d09f1 100755 --- a/fetchtranslations.sh +++ b/fetchtranslations.sh @@ -10,7 +10,7 @@ fi echo "Fetch translation archive" fetch -q http://crowdin.net/download/project/ics-openvpn.zip -langtoinclude="ca cs de ko et it fr ja he ru no nl" +langtoinclude="ca cs de es et fr he it ja ko no nl ru" for lang in $langtoinclude do diff --git a/res/values-es/arrays.xml b/res/values-es/arrays.xml old mode 100644 new mode 100755 index ed33c8c7..fd401872 --- a/res/values-es/arrays.xml +++ b/res/values-es/arrays.xml @@ -1,28 +1,27 @@ + + - - - "Certificados" - "Archivo PKCS12" - "Certificado Android" - "Usuario/contraseña" - "Claves estáticas" - "Usuario/contr. + Certificados" - "Usuario/contr. + PKCS12 " - "Usuario/contr. + Android" - - - - "0" - "1" - "Sin especificar" - - - "0 - No hay registro" - "1 - Detalle prederminado" - "2 - Registro más detallado" - "3" - "4" - "5 - registro de depuración" - - - \ No newline at end of file + + Certificados + Archivo PKCS12 + Certificado de Android + Usuario/Contraseña + Llaves Estaticas + Usuario/Contraseña + Certificados + Usuario/Contraseña + PKCS12 + Usuario/Contraseña + Android + + + 0 + 1 + No especificado + + + 0 - No registrar + 1 - Registro predeterminado + 2 - Registro más detallado + 3 + 4 + 5 - Registro de depuración + + diff --git a/res/values-es/strings.xml b/res/values-es/strings.xml old mode 100644 new mode 100755 index 5674bfdf..b0279a2f --- a/res/values-es/strings.xml +++ b/res/values-es/strings.xml @@ -1,202 +1,197 @@ - - - OpenVPN para Android - Dirección del servidor: - Puerto del servidor: - Ubicación - ¡carpeta no se puede leer! - Seleccionar - Cancelar - Sin datos - Compresión LZO - Sin certificado - Certificado cliente - Clave de certificado cliente - Archivo PKCS12 - Certificado CA - No hay nada seleccionado - El código fuente y seguimiento de problemas están disponibles a http://code.google.com/p/ics-openvpn/ - Este programa utiliza los siguientes componentes. Ver la fuente para detalles completos sobre las licencias. - Acerca de - Acerca de OpenVPN para Android - Lista de todas las VPNs configuradas - Todas tus VPNs - Tipo - Contraseña PKCS12 - Seleccionar… - Nada seleccionado - Utilizar autenticación TLS - Dirección TLS - Introducir la dirección IPv6/máscara de red en formato CIDR (por ejemplo: 2000:dd::23/64) - Introducir la dirección IPv4/máscara de red en formato CIDR (por ejemplo: 1.2.3.4/24) - Dirección IPv4 - Dirección IPv6 - Introducir las opciones personalizadas de OpenVPN. Ten mucho cuidado. Además, ten en cuenta que muchos de los ajustes OpenVPN relacionados con tun no se pueden soportar por el diseño de VPNSettings. Si crees que falta una opción importante, ponte en contacto con el autor - Usuario - Contraseña - Para la configuración estática, las claves de autentificación TLS se utilizarán como claves estáticas. - Configurar la VPN - Añadir perfil - Escribir un nombre para identificar el nuevo perfil - Nombre de perfil ya existe - Nombre de perfil - No hay certificado usuario seleccionado. - No hay ningún error encontrado - Error de configuración - No se puede analizar la dirección IPv4 - No se puede analizar las rutas personalizadas - Dejar en blanco para preguntar a petición - Acceso directo OpenVPN - Conectar a VPN - Perfil especificado en el acceso directo no se encuentra - Prefijo de host aleatorio - Añade 6 caracteres aleatorios antes del nombre de host - Habilitar opciones personalizadas - Especificar opciones personalizadas. ¡Utiliza con cuidado! - Ruta rechazada por Android - Desconectar - borrar registro - Confirmar cancelación - ¿Desconectar la VPN conectada / cancelar el intento de conexión? - Eliminar VPN - Comprueba si el servidor utiliza un certificado servidor TLS - Salvo servidor TLS - Verificación del certificado nombre de host - Nombre de host remoto (CN) - Habilita la autenticación de clave TLS - Archivo de autenticación TLS - Pide al servidor las direcciones IP, rutas y opciones de sincronización. - No se pide información del servidor. Hay que configurar los ajustes en bajo. - Ajustes de pull - DNS - Reemplazar la configuración DNS del servidor - Utilizar servidores DNS personalizados - searchDomain - Servidor DNS que se utilizará. - Servidor DNS: - Servidor DNS secundario se utiliza si el servidor DNS primario no se puede alcanzar. - Servidor DNS de reserva - Rechazar rutas proporcionadas - Rechazar rutas proporcionadas por el servidor. - Redirige todo el tráfico hacia la VPN - Utilizar ruta por defecto - Introducir rutas personalizadas. Introducir el destino sólo en formato CIDR. \"10.0.0.0/8 2002::/16\\" dirigiría las redes 10.0.0.0/8 y 2002::/16 hacia la VPN. - Rutas personalizadas - Nivel de detalle del registro - Permite los paquetes autenticados de cualquier IP - Permitir servidor flotante - Opciones personalizadas - Editar ajustes de VPN - ¿Eliminar el perfil VPN %s? - En algunos firmwares personalizados ICS el permiso de /dev/tun puede ser incorrecto, o el módulo tun puede faltar totalmente. Para firmwares CM9 intenta corregir la propiedad en los ajustes. - Error grave en la apertura de la interfaz tun - Error: - Borrar - información - Mostrar detalles de conexión - Última configuración de la interfaz OpenVPN: - Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d - Servidor DNS: %s - Dominio DNS: %s - Rutas: %s - Rutas IPv6: %s - Se ha obtenido información de interfaz %1$s, y %2$s, suponiendo que la segunda dirección es la dirección del nodo remoto. Utilizando máscara de red /32 para IP local. Modo relatado por OpenVPN es \\"%3$s\\". - No se puede entender %1$s, y %2$s como ruta IP con máscara de red CIDR, utilizando /32 como la máscara de red. - Ruta %1$s/%2$s corregida en %3$s/%2$s - - %1$s %2$s - Enviar el archivo de registro - Enviar - Archivo de registro de ICS OpenVPN - Entrada de registro copiada al portapapeles - Modo tap - Modo pap no es posible con la API VPN sin root. Por lo tanto esta aplicación no puede soportar tap. - ¿Otra vez? ¿Estás de broma? Modo tap no se soporta de verdad, y mandarme más correos no lo va a cambiar. - ¿Por tercera vez? - Preguntas frecuentes - Preguntas frecuentes y algunos consejos - Copiar entradas de registro - Para copiar una sola entrada de registro, púlsala y mantén pulsada. Para copiar/enviar el registro entero, utiliza la opción \\"Enviar el archivo de registro\\". Utilice el botón de menú físico si no se ve en la interfaz gráfica de usuario. - Acceso directo para iniciar - Puede poner un acceso directo para iniciar OpenVPN en su escritorio. Según tu - Tu firmware no soporta la API de VPNService :( - Cifrado - Introducir método de cifrado - Introducir la clave de cifrado para OpenVPN. Dejar en blanco para utilizar cifrado por defecto. - Autenticación/cifrado - Explorador de archivos - Archivo en línea - Importar - Error al importar archivo - No se pudo importar el archivo de sistema de archivos - [[Datos de archivos en línea]] - Rechaza abrir el dispositivo tun, sin la información de IP - Importar perfil de archivo ovpn - Importar - No se pudo leer el perfil que importar - Error al leer el archivo de configuración - añadir perfil - Intentando leer el archivo: %1$s - No se encontró el archivo %1$s que se menciona en el archivo de configuración importado - Importando archivo de configuración de la fuente %1$s - Tu configuración tiene algunas opciones de configuración que no se pudieron analizar. Estas opciones se han añadido como opciones de configuración personalizada. La configuración personalizada se muestra abajo: - Lectura del archivo de configuración terminada. - No enlazar a la dirección local y el puerto - Sin enlazamiento local - Importar archivo de configuración - Seguridad - Importar - Error al mostrar selección de certificado - IPv4 - IPv6 - Esperando mensaje de estado… - perfil importado - perfil importado %d - Firmwares rotos - El nombre de usuario no puede estar vacío. - Clave de cifrado de archivo PKCS12 - Contraseña de clave privada - Contraseña - icono - Autenticación TLS - Configuración generada - Ajustes generales - Intentar definir la propriedad de /dev/tun como system. Algunos firmwares CM9 lo necesita para que la API VPNService funcione. Necesita root. - Corregir la propiedad de /dev/tun - Muestra el archivo de configuración de OpenVPN generado - Editar \\"%s\\" - Generando configuración… - Habilitar esta opción obliga la reconexión si el estado de la red se cambia (Wi-Fi a móvil, y al revés) - Reconectar si la red se cambia - Tiene certificado de \'%s\' del llavero - Estado de red: %s - Seleccionar - Mostrar la ventana de registro cuando se establece la conexión. La ventana de registro se puede acceder de la barra de notificaciones. - Mostrar ventana de registro - Mantener la notificación mostrada después de que la conexión se establece, para mostrar las estadísticas de tráfico. - Mostrar estadísticas de tráfico - Utilizando %1$s (%2$s) %3$s, Android API %4$d - Traducción español por Gerard Bonner - <59539051+ovpntrans.es@mail.dcu.ie> - - IP y DNS - Básico - Enrutamiento - Ajustes OpenVPN raros. Normalmente, no se necesitan. - Avanzado - \ No newline at end of file + + + + OpenVPN para Android + Dirección del servidor: + Puerto del servidor: + Ubicación + ¡no se puede leer la carpeta! + Seleccionar + Cancelar + No hay datos + Compresión LZO + Sin Certificado + Certificado de Cliente + Llave del Certificado de Cliente + Archivo PKCS12 + Certificado de la CA + Nada seleccionado + Codigo fuente y sistema de reporte de errores disponibles en http://code.google.com/p/ics-openvpn/ + El programa utiliza los siguientes componentes. Vea las fuentes para obtener más información sobre las licencias + Acerca de + Acerca de OpenVPN para Android + Lista de todas las VPN configuradas + Perfiles VPN + Tipo + Contraseña PKCS12 + Seleccionar... + Nada seleccionado + Utilizar la autenticación TLS + Dirección TLS + Introduzca la dirección/máscara de red IPv6 en formato CIDR (por ejemplo, 2000:dd::23/64) + Introduzca la dirección/máscara de red IPv4 en formato CIDR (por ejemplo, 1.2.3.4/24) + Dirección IPv4 + Dirección IPv6 + Introduzca las opciones personalizadas de OpenVPN. Uselas con mucho cuidado. Tenga en cuenta que muchas de las configuraciones de OpenVPN relacionadas con tun no pueden ser soportadas por el diseño de VPNSettings. Si crees falta una funcion importate contacta al autor + Nombre de usuario + Contraseña + Para la configuración estática las llaves de autenticación TLS se utilizaran como llaves estáticas. + Configurar la VPN + Agregar perfil + Escriba un nombre que identifica el nuevo perfil + Nombre de perfil duplicado + Nombre del Perfil + Sin certificado de usuario seleccionado. + No se encontraron errores + Error en la configuración + No se puede analizar la dirección IPv4 + No se puede analizar las rutas personalizadas + Deje en blanco para consultar sobre demanda + Acceso directo de OpenVPN + Conectar a VPN + Perfil especificado en el acceso directo no encontrado + Prefijo aleatorio de Host + Agrega 6 caracteres al azar delante del nombre de host + Habilitar opciones personalizadas + Especificar opciones personalizadas. ¡Use con cuidado! + Ruta rechazada por Android + Desconectar + Limpiar registro + Cancelar confirmación + Eliminar VPN + Comprueba si el servidor utiliza un certificado de servidor TLS + Excepto servidor TLS + Comprobación del certificado de nombre de host + Nombre de Host remoto(CN) + habilita la autenticación de clave TLS + Archivo de autenticación TLS + Obtener Direcciones IP, rutas y opciones de sincronizacion del servidor. + No se pedira informacion del servidor. Necesita especifiar la configuracion abajo. + Obtener Configuracion + DNS + Reemplazar la configuración DNS del Servidor + Usar sus propios servidores DNS + searchDomain + Servidor DNS a ser usado. + Servidor DNS + Ignorar rutas obtenidas + Ignorar rutas obtenidas del servidor. + Redirige todo el tráfico a través de VPN + Usar ruta predeterminada + Rutas personalizadas + Nivel de detalle del registro + Permite paquetes autenticados desde cualquier IP + Permitir servidor flotante + Opciones personalizadas + Modificar la configuración de VPN + ¿Eliminar el perfil VPN %s? + "Error: " + Borrar + información + Mostrar detalles de la conexión + Última configuración de interfaz de OpenVPN: + Servidor DNS: %s + Dominio DNS: %s + Rutas: %s + Rutas IPv6: %s + Ruta conectada de %1$s/%2$s a %3$s/%2$s + %1$s %2$s + Enviar el archivo de registro + Enviar + Archivo de registro de OpenVPN de ICS + Entrada de registro copiada al Portapapeles + Modo Tap + El Modo tap no es posible sin la API VPN de root. Por lo tanto la aplicacion no puede dar soporte a tap + ¿Otra vez? ¿Estás bromeando? El modo tap no esta realmente soportado y enviar más correos preguntando si sera soportado no ayudará. + ¿Una tercera vez? En realidad se podría escribir un emulador de tap basado en tun que podria agregar información layer2 al enviar y obtener información layer2 al recibir. Pero este emulador tap tendría que implementar también ARP y posiblemente un cliente DHCP. No sé de alguien que este realizando trabajo en esa dirección. Ponte en contacto conmigo si deseas iniciar la codificación de esto. + P+F + Preguntas frecuentes y consejos + Copiar las entradas del registro + Para copiar una sola entrada de registro presione y mantenga pulsado sobre la entrada del registro. Para copiar y enviar el registro completo use la opción Enviar registro. Utilice el botón fisico de menú si no visible en la interfaz. + Acceso directo para iniciar + Su imagen no es compatible con la API de VPNService, lo siento :( + Cifrado + Especifique el método de cifrado + Autenticación/Cifrado + Administrador de archivos + Importar + Error al importar el archivo + No se pudo importar el archivo del sistema de archivos + Negandose a abrir el dispositivo tun sin información de IP + Importar perfil de un archivo ovpn + Importar + No se pudo leer el perfil a importar + Error al leer el archivo de configuración + Agregar perfil + Intentando leer el archivo: %1$s + No se pudo encontrar el archivo %1$s mencionado en el archivo de configuracion importado + Importando archivo de configuración del origen %1$s + Su configuración tiene algunas opciones de configuración que pueden ser analizadas. Estas opciones se agregaron como opciones de configuración personalizadas. A continuación se muestra la configuración personalizada: + Se termino de leer el archivo de configuracion. + No enlazar con el puerto y la dirección local + Ningún enlace local + Importar archivo de configuracion + Consideraciones de seguridad + Importar + Error mostrando la seleccion de certificados + IPv4 + IPv6 + Esperando el mensaje de estado... + perfil importado + perfil importado %d + Imágenes rotas + El nombre de usuario no debe estar vacío. + Contraseña de clave privada + Contraseña + icono de archivo + Autenticación TLS + Configuración generada + Preferencias generales + Intenta establecer el propietario de /dev/tun a system. Algunas imágenes de CM9 lo necesitan hacer funcionar la API de VPNService. Requiere permisos root. + Arreglar la propiedad de /dev/tun + Muestra el archivo de configuración OpenVPN generado + Editando \"%s\" + Construyendo configuracion... + Reconectar en cambio de red + Conseguido el certificado de \'%s\' de almacén de claves + Estado de la red: %s + Seleccionar + Mostrar ventana de registro + Mostrar estadísticas de tráfico + Traducción al español por José Luis Bandala Perez<luis.449bp@gmail.com> + IP y DNS + Básico + Enrutamiento + Configuraciones oscuras de OpenVPN. Normalmente no se necesitan. + Avanzado + Configuracion Openvpn de ICS + Sin servidores DNS utilizados. La resolución de nombres puede que no funcione. Considere configurar servidores DNS personalizados + No se puede agregar el servidor DNS \"%1$s\", rechazado por el sistema: %2$s + Inicio rápido + Intente cargar el módulo del kernel tun.ko antes de intentar conectarse. Necesita dispositivos rooteados. + Cargar modulo tun + Importar PKCS12 de la configuración en el almacén de claves de Android + Error al obtener la configuración de proxy: %s + Usando proxy %1$s %2$d + Usar el proxy del sistema + Usted puede <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donar con PayPal</a> + OpenVPN volvera a conectar a una VPN si estaba activa en el apagado/reinicio del sistema. Por favor lea la P+F de advertencia de conexión antes de usar esta opción. + Vuelva a conectar al reiniciar + Ignorar + Reiniciar + Configuración cambiada + No se pudo determinar el último perfil conectado para editar + Notificaciones duplicadas + No hay perfiles VPN definidos. + Use el icono <img src=\"ic_menu_add\"/> para agregar una nueva VPN + Use el icono <img src=\"ic_menu_archive\"/> para importar un perfil existente (.ovpn or .conf) de tu tarjeta. + Asegúrese de checar también las preguntas frecuentes. Hay una guía de inicio rápido. + Convertir formato remote-tls de OpenVPN 2.2 al formato 2.3 + Configuración de enrutamiento o interfaz + No regresar a modo sin conexión VPN cuando OpenVPN esta volviendose a conectar. + Tun persistente + Traducción + Registro de OpenVPN + Importar configuración de OpenVPN + Consumo de batería + diff --git a/res/values-he/strings.xml b/res/values-he/strings.xml index a71e2c4c..62b5ca91 100755 --- a/res/values-he/strings.xml +++ b/res/values-he/strings.xml @@ -1,7 +1,33 @@ + OpenVPN עבור אנדרואיד + כתובת שרת: + יציאת שרת: + מיקום + אין אפשרות לקרוא את התיקיה! + בחר + ביטול + אין נתונים + דחיסת LZO + אין תעודה + תעודת Client + מפתח תעודת Client + קובץ PKCS12 + תעודת רשות אישורים + לא נבחר דבר + קוד מקור וקוד עוקב זמינים תחת http://code.google.com/p/ics-openvpn/ + התוכנית משתמשת ברכיבים הבאים. קרא את קוד המקור לקבלת פרטים מלאים על הרשיונות + אודות + אודות OpenVPN עבור אנדרואיד + רשימה של כל תצורת ה-Vpn המוגדרות + פרופילים של תצורות VPN + סוג + סיסמת PKCS12 בחר + לא נבחר דבר + השתמש באימות TLS + כיוון TLS שרת DNS כדי להשתמש. שרת DNS אם אין אפשרות להגיע לשרת DNS רגיל שרת DNS משני. -- cgit v1.2.3 From 46290f01887ac0b24e014aa9cf37b8f7cd50585b Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 20:36:44 +0100 Subject: Minimal rework of notifications for JB --- AndroidManifest.xml | 2 +- project.properties | 2 +- src/de/blinkt/openvpn/OpenVpnService.java | 39 ++++++++++++++++++++----------- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index ad16b0ad..8e75f9fd 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -27,7 +27,7 @@ - + Date: Sat, 15 Dec 2012 20:57:17 +0100 Subject: Add english corrections from crowding for next version. --- res/values/strings.xml | 460 ++++++++++++++++++++++++------------------------- 1 file changed, 229 insertions(+), 231 deletions(-) mode change 100644 => 100755 res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml old mode 100644 new mode 100755 index 7958aca9..5dda7274 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -1,234 +1,232 @@ + - OpenVPN for Android - Server Address: - Server Port: - Location - folder can\'t be read! - Select - Cancel - No Data - LZO Compression - No Certificate - Client Certificate - Client Certificate Key - PKCS12 File - CA Certificate - Nothing selected - Source code and issue tracker available under http://code.google.com/p/ics-openvpn/ - The program uses the following components. See the source for full details on the licenses - About - About OpenVPN for Android - List of all configured VPNs - VPN Profiles - Type - PKCS12 Password - Select… - Nothing Selected - Use TLS Authentication - TLS Direction - Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64) - Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24) - IPv4 Address - IPv6 Address - Enter custom OpenVPN options. Use with great care. Also note that many of the tun related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is missing contact the author - Username - Password - For the static configuration the TLS Auth Keys will be used as static keys. - Configure the VPN - Add Profile - Enter a name identifying the new Profile - Duplicate Profile Name - Profile Name - No User certificate selected. - No error found - Error in Configuration - Cannot parse the IPv4 address - Cannot parse the custom routes - Leave empty to query on demand - OpenVPN Shortcut - Connect to VPN - Profile specified in shortcut not found - Random Host Prefix - Adds 6 random chars in front of hostname - Enable Custom Options - Specify custom options. Use with care! - Route rejected by Android - Disconnect - clear log - Cancel Confirmation - Disconnect the connected VPN/cancel the connection attempt? - Remove VPN - Checks whether the server uses a TLS Server Certificate - Except TLS Server - Checks the Remote Server Certificate CN against a string - Certificate Hostname Check - Enter the string against which the remote Server is checked. OpenVPN will use prefix matching. "Server" matches "Server-1" and "Server-2"\nLeave empty to check the CN against the server hostname. - Remote Hostname(CN) - Enables the TLS Key Authentication - TLS Auth File - Requests IP addresses, routes and timing options from the server. - No information is requested from the server. Settings need to be specified below. - Pull Settings - DNS - Override DNS Settings by Server - Use your own DNS Servers - searchDomain - DNS Server to be used. - DNS Server - Secondary DNS Server used if the normal DNS Server cannot be reached. - Backup DNS Server - Ignore pushed routes - Ignore routed pushed by the server. - Redirects all Traffic over the VPN - Use default Route - Enter custom routes. Only enter destination in CIDR format. "10.0.0.0/8 2002::/16" would direct the networks 10.0.0.0/8 and 2002::/16 over the VPN. - Custom Routes - Log verbosity level - Allows authenticated packets from any IP - Allow floating server - Custom Options - Edit VPN Settings - Remove the VPN Profile %s? - On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings - Opening tun interface failed badly. - "Error: " - Clear - info - Show connection details - Last interface configuration from OpenVPN: - Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d - DNS Server: %s - DNS Domain: %s - Routes: %s - Routes IPv6: %s - Got interface information %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". - Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as netmask. - Corrected route %1$s/%2$s to %3$s/%2$s - Cannot access the Android Keychain Certificates. (Can be caused by a firmware upgrade or by restoring a backup of the app/app settings). Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. - %1$s %2$s - Send log file - Send - ICS OpenVPN log file - Copied log entry to clip board - Tap Mode - Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support - Again? Are you kidding? No tap mode is really not supported and sending more mail asking if it will be supported will not help. - A third time? Actually one could write a a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would have to implement also ARP and possible a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. - FAQ - Frequently asked questions and some advice - Copying log entries - To copy a single log entry press and and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button if not visible in the GUI. - Shortcut to start - You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you have to add a shortcut or a widget. - Your image does not support the VPNService API,sorry :( - Encryption - Enter encryption method - Enter the cipher key for OpenVPN. Leave empty to use default cipher - Authentication/Encryption - File Explorer - Inline File - Import - Error importing File - Could not import File from filesystem - [[Inline file data]] - Refusing to open tun device without IP information - Import Profile from ovpn file - Import - Could not read Profile to import - Error reading config file - add Profile - Trying to read file: %1$s - Could not find file %1$s mentioned in the imported config file - Importing config file from source %1$s - Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options. The custom configuration is displayed below: - Done reading config file. - Do not bind to local address and port - No local binding - Import configuration file - Security considerations - "As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore." - Import - Error showing certificate selection - Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken - IPv4 - IPv6 - Waiting for state message… - imported profile - imported profile %d - Broken Images - <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> in the bug tracker.)</p><p>The official SONY images from Xperia arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. Other Sony images may be affected as well. (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the fix ownership option under general settings.</p><p>Most important: If you have a broken image, report it to your vendor. The more people report the issue to the vendor the more likely you will get a fix.</p> - The username must not be empty. - PKCS12 File Encryption Key - Private Key Password - Password - file icon - TLS Authentication - Generated Config - General Settings - Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the VPNService API work. Requires root. - Fix ownership of /dev/tun - Shows the generated OpenVPN Configuration File - Editing \"%s\" - Building configuration… - Turning this option on will force a reconnect if the network state is change (WIFI to/from mobile) - Reconnect on network change - Got certificate \'%s\' from Keystore - Network Status: %s - The CA cert is usually returned from the Android Keystore. Specify a separate certificate if you get certificate verification errors. - Select - No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. - Shows the log window on connect. The log window can always be accessed from the notification status. - Show log window - Keep the notification displayed after the connection is established to show traffic statistics. - Show Traffic Statistics - Running on %1$s (%2$s) %3$s, Android API %4$d - Error signing with Android keystore key %1$s: %2$s - The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumenvented. (On some images this unfortunely includes a notifciation sound) - Connection warning and notification sound - - English translation by Arne Schwabe<arne@rfc2549.org> - IP and DNS - Basic - Routing - Obscure OpenVPN Settings. Normally not needed. - Advanced - ICS Openvpn Config - No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers - Could not add DNS Server \"%1$s\", rejected by the system: %2$s - <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file no with no extra pem/pks12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If there are error or warnings in the log try to understand the warnings/error and try to fix them</p> - Quick Start - Try to load the tun.ko kernel module before trying to connect. Needs rooted devices. - Load tun module - Import PKCS12 from configuration into Android Keystore - Error getting proxy settings: %s - Using proxy %1$s %2$d - Use system proxy - Use the system wide configuration for HTTP/HTTPS proxies to connect. - You can <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donate with PayPal</a> - OpenVPN will reconnect a VPN if it was active on system reboot/shutdown. Please read the Connection warning FAQ before using this option. - Reconnect on reboot - Ignore - Restart - Configuration changes are applied after restarting the VPN. (Re)start the VPN now? - Configuration changed - Could not determine last connected profile for editing - Duplicate notifications - If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. - No VPN profiles defined. - Use the <img src=\"ic_menu_add\"/> icon to add a new VPN - Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your sdcard. - Be sure to also check out the FAQ. There is a quick start guide. - Convert remote-tls format from OpenVPN 2.2 to 2.3 format - Routing/Interface Configuration - The Routing and interface configuration is not done via traditionell ifconfig/route command but by using the VPNService API. This results in a different routing configuration than on other OSes. The configuration only consists of the IP of the tunnel interface and the networks that should be routed over this interface. Especially no peer partner address or gateway address is needed. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel. Since only specifing networks to be routed via tunnel is supported extra routes not pointing to the tunnel cannot be supported either. (e.g. route x.x.x.x y.y.y.y net_gateway). The show information button in the log windows show the current configuration of the VPNService network configuration. - Do not fallback to no VPN connection when OpenVPN is reconnecting. - Persistent tun - Translation - OpenVPN Log - Import OpenVPN configuration - Battery consumption - In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunately using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) - The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a> - VPN and Tethering + OpenVPN for Android + Server Address: + Server Port: + Location + Unable to read directory + Select + Cancel + No Data + LZO Compression + No Certificate + Client Certificate + Client Certificate Key + PKCS12 File + CA Certificate + You must select a certificate + Source code and issue tracker available at http://code.google.com/p/ics-openvpn/ + This program uses the following components; see the source code for full details on the licenses + About + About OpenVPN for Android + List of all configured VPNs + VPN Profiles + Type + PKCS12 Password + Select… + You must select a file + Use TLS Authentication + TLS Direction + Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64) + Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24) + IPv4 Address + IPv6 Address + Enter custom OpenVPN options. Use with caution. Also note that many of the tun related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is missing contact the author + Username + Password + For the static configuration the TLS Auth Keys will be used as static keys + Configure the VPN + Add Profile + Enter a name identifying the new Profile + Please enter a unique Profile Name + Profile Name + You must select a User certificate + No error found + Error in Configuration + Error parsing the IPv4 address + Error parsing the custom routes + (leave empty to query on demand) + OpenVPN Shortcut + Connect to VPN + Profile specified in shortcut not found + Random Host Prefix + Adds 6 random chars in front of hostname + Enable Custom Options + Specify custom options. Use with care! + Route rejected by Android + Disconnect + clear log + Cancel Confirmation + Disconnect the connected VPN/cancel the connection attempt? + Remove VPN + Checks whether the server uses a TLS Server Certificate + Except TLS Server + Checks the Remote Server Certificate CN against a string + Certificate Hostname Check + Enter the string against which the remote Server is checked. OpenVPN will use prefix matching. \"Server\" matches \"Server-1\" and \"Server-2\"\nLeave empty to check the CN against the server hostname. + Remote Hostname(CN) + Enables the TLS Key Authentication + TLS Auth File + Requests IP addresses, routes and timing options from the server. + No information is requested from the server. Settings need to be specified below. + Pull Settings + DNS + Override DNS Settings by Server + Use your own DNS Servers + searchDomain + DNS Server to be used. + DNS Server + Secondary DNS Server used if the normal DNS Server cannot be reached. + Backup DNS Server + Ignore pushed routes + Ignore routed pushed by the server. + Redirects all Traffic over the VPN + Use default Route + Enter custom routes. Only enter destination in CIDR format. \"10.0.0.0/8 2002::/16\" would direct the networks 10.0.0.0/8 and 2002::/16 over the VPN. + Custom Routes + Log verbosity level + Allows authenticated packets from any IP + Allow floating server + Custom Options + Edit VPN Settings + Remove the VPN Profile \'%s\'? + On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings + Failed to open the tun interface + "Error: " + Clear + info + Show connection details + Last interface configuration from OpenVPN: + Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d + DNS Server: %s + DNS Domain: %s + Routes: %s + Routes IPv6: %s + Got interface information %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". + Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as netmask. + Corrected route %1$s/%2$s to %3$s/%2$s + Cannot access the Android Keychain Certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. + %1$s %2$s + Send log file + Send + ICS OpenVPN log file + Copied log entry to clip board + Tap Mode + Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support + Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if it will be supported will not help. + A third time? Actually, one could write a a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. + FAQ + Frequently asked questions and some advice + Copying log entries + To copy a single log entry press and and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button if not visible in the GUI. + Shortcut to start + You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you have to add a shortcut or a widget. + Your image does not support the VPNService API, sorry :( + Encryption + Enter encryption method + Enter the cipher key for OpenVPN. Leave empty to use default cipher + Authentication/Encryption + File Explorer + Inline File + Import + Error importing File + Could not import File from filesystem + [[Inline file data]] + Refusing to open tun device without IP information + Import Profile from ovpn file + Import + Could not read Profile to import + Error reading config file + add Profile + Trying to read file: %1$s + Could not find file %1$s mentioned in the imported config file + Importing config file from source %1$s + Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options. The custom configuration is displayed below: + Done reading config file. + Do not bind to local address and port + No local binding + Import configuration file + Security considerations + "As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore." + Import + Error showing certificate selection + Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken + IPv4 + IPv6 + Waiting for state message… + imported profile + imported profile %d + Broken Images + <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> in the bug tracker.)</p><p>The official SONY images from Xperia arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. Other Sony images may be affected as well. (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the fix ownership option under general settings.</p><p>Most important: If you have a broken image, report it to your vendor. The more people report the issue to the vendor the more likely you will get a fix.</p> + The username must not be empty. + PKCS12 File Encryption Key + Private Key Password + Password + file icon + TLS Authentication + Generated Config + General Settings + Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the VPNService API work. Requires root. + Fix ownership of /dev/tun + Shows the generated OpenVPN Configuration File + Editing \"%s\" + Building configuration… + Turning this option on will force a reconnect if the network state is changed (e.g. WiFi to/from mobile) + Reconnect on network change + Got certificate \'%s\' from Keystore + Network Status: %s + The CA cert is usually returned from the Android Keystore. Specify a separate certificate if you get certificate verification errors. + Select + No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. + Shows the log window on connect. The log window can always be accessed from the notification status. + Show log window + Keep the notification displayed after the connection is established to show traffic statistics. + Show Traffic Statistics + Running on %1$s (%2$s) %3$s, Android API %4$d + Error signing with Android keystore key %1$s: %2$s + The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumenvented. (On some images this unfortunely includes a notifciation sound) + Connection warning and notification sound + English translation by Arne Schwabe<arne@rfc2549.org> + IP and DNS + Basic + Routing + Obscure OpenVPN Settings. Normally not needed. + Advanced + ICS Openvpn Config + No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers + Could not add DNS Server \"%1$s\", rejected by the system: %2$s + <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file no with no extra pem/pks12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If there are error or warnings in the log try to understand the warnings/error and try to fix them</p> + Quick Start + Try to load the tun.ko kernel module before trying to connect. Needs rooted devices. + Load tun module + Import PKCS12 from configuration into Android Keystore + Error getting proxy settings: %s + Using proxy %1$s %2$d + Use system proxy + Use the system wide configuration for HTTP/HTTPS proxies to connect. + You can <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donate with PayPal</a> + OpenVPN will reconnect a VPN if it was active on system reboot/shutdown. Please read the Connection warning FAQ before using this option. + Reconnect on reboot + Ignore + Restart + Configuration changes are applied after restarting the VPN. (Re)start the VPN now? + Configuration changed + Could not determine last connected profile for editing + Duplicate notifications + If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. + No VPN profiles defined. + Use the <img src=\"ic_menu_add\"/> icon to add a new VPN + Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your sdcard. + Be sure to also check out the FAQ. There is a quick start guide. + Convert remote-tls format from OpenVPN 2.2 to 2.3 format + Routing/Interface Configuration + The Routing and interface configuration is not done via traditionell ifconfig/route command but by using the VPNService API. This results in a different routing configuration than on other OSes. The configuration only consists of the IP of the tunnel interface and the networks that should be routed over this interface. Especially no peer partner address or gateway address is needed. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel. Since only specifing networks to be routed via tunnel is supported extra routes not pointing to the tunnel cannot be supported either. (e.g. route x.x.x.x y.y.y.y net_gateway). The show information button in the log windows show the current configuration of the VPNService network configuration. + Do not fallback to no VPN connection when OpenVPN is reconnecting. + Persistent tun + Translation + OpenVPN Log + Import OpenVPN configuration + Battery consumption + In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunatly using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) -- cgit v1.2.3 From c744fafc2d0f9d42692203d1b6bbe37f9dbe98e4 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 20:58:51 +0100 Subject: Added tag v0.5.25 for changeset 0378ae6b1307 --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index cf88f2d9..d6169206 100644 --- a/.hgtags +++ b/.hgtags @@ -21,3 +21,4 @@ cffe1c5ae6c42ecfbca66d055bf4dfcd680c8434 v0.5.20 e1e9c63323ca53270bee1aed9cca2f6fa207bbfa v0.5.22 d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 24243dbbd2bdb0b4e3740e333eecd0c96a686f05 v0.5.24 +0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 -- cgit v1.2.3 From 2bd9a136b724da9e46fe208f3ade41f40ff317b6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 21:13:41 +0100 Subject: These two strings got lost. --- res/values/strings.xml | 464 +++++++++++++++++++++++++------------------------ 1 file changed, 234 insertions(+), 230 deletions(-) diff --git a/res/values/strings.xml b/res/values/strings.xml index 5dda7274..74d05fb5 100755 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -1,232 +1,236 @@ - + - OpenVPN for Android - Server Address: - Server Port: - Location - Unable to read directory - Select - Cancel - No Data - LZO Compression - No Certificate - Client Certificate - Client Certificate Key - PKCS12 File - CA Certificate - You must select a certificate - Source code and issue tracker available at http://code.google.com/p/ics-openvpn/ - This program uses the following components; see the source code for full details on the licenses - About - About OpenVPN for Android - List of all configured VPNs - VPN Profiles - Type - PKCS12 Password - Select… - You must select a file - Use TLS Authentication - TLS Direction - Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64) - Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24) - IPv4 Address - IPv6 Address - Enter custom OpenVPN options. Use with caution. Also note that many of the tun related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is missing contact the author - Username - Password - For the static configuration the TLS Auth Keys will be used as static keys - Configure the VPN - Add Profile - Enter a name identifying the new Profile - Please enter a unique Profile Name - Profile Name - You must select a User certificate - No error found - Error in Configuration - Error parsing the IPv4 address - Error parsing the custom routes - (leave empty to query on demand) - OpenVPN Shortcut - Connect to VPN - Profile specified in shortcut not found - Random Host Prefix - Adds 6 random chars in front of hostname - Enable Custom Options - Specify custom options. Use with care! - Route rejected by Android - Disconnect - clear log - Cancel Confirmation - Disconnect the connected VPN/cancel the connection attempt? - Remove VPN - Checks whether the server uses a TLS Server Certificate - Except TLS Server - Checks the Remote Server Certificate CN against a string - Certificate Hostname Check - Enter the string against which the remote Server is checked. OpenVPN will use prefix matching. \"Server\" matches \"Server-1\" and \"Server-2\"\nLeave empty to check the CN against the server hostname. - Remote Hostname(CN) - Enables the TLS Key Authentication - TLS Auth File - Requests IP addresses, routes and timing options from the server. - No information is requested from the server. Settings need to be specified below. - Pull Settings - DNS - Override DNS Settings by Server - Use your own DNS Servers - searchDomain - DNS Server to be used. - DNS Server - Secondary DNS Server used if the normal DNS Server cannot be reached. - Backup DNS Server - Ignore pushed routes - Ignore routed pushed by the server. - Redirects all Traffic over the VPN - Use default Route - Enter custom routes. Only enter destination in CIDR format. \"10.0.0.0/8 2002::/16\" would direct the networks 10.0.0.0/8 and 2002::/16 over the VPN. - Custom Routes - Log verbosity level - Allows authenticated packets from any IP - Allow floating server - Custom Options - Edit VPN Settings - Remove the VPN Profile \'%s\'? - On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings - Failed to open the tun interface - "Error: " - Clear - info - Show connection details - Last interface configuration from OpenVPN: - Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d - DNS Server: %s - DNS Domain: %s - Routes: %s - Routes IPv6: %s - Got interface information %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". - Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as netmask. - Corrected route %1$s/%2$s to %3$s/%2$s - Cannot access the Android Keychain Certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. - %1$s %2$s - Send log file - Send - ICS OpenVPN log file - Copied log entry to clip board - Tap Mode - Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support - Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if it will be supported will not help. - A third time? Actually, one could write a a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. - FAQ - Frequently asked questions and some advice - Copying log entries - To copy a single log entry press and and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button if not visible in the GUI. - Shortcut to start - You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you have to add a shortcut or a widget. - Your image does not support the VPNService API, sorry :( - Encryption - Enter encryption method - Enter the cipher key for OpenVPN. Leave empty to use default cipher - Authentication/Encryption - File Explorer - Inline File - Import - Error importing File - Could not import File from filesystem - [[Inline file data]] - Refusing to open tun device without IP information - Import Profile from ovpn file - Import - Could not read Profile to import - Error reading config file - add Profile - Trying to read file: %1$s - Could not find file %1$s mentioned in the imported config file - Importing config file from source %1$s - Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options. The custom configuration is displayed below: - Done reading config file. - Do not bind to local address and port - No local binding - Import configuration file - Security considerations - "As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore." - Import - Error showing certificate selection - Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken - IPv4 - IPv6 - Waiting for state message… - imported profile - imported profile %d - Broken Images - <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> in the bug tracker.)</p><p>The official SONY images from Xperia arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. Other Sony images may be affected as well. (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the fix ownership option under general settings.</p><p>Most important: If you have a broken image, report it to your vendor. The more people report the issue to the vendor the more likely you will get a fix.</p> - The username must not be empty. - PKCS12 File Encryption Key - Private Key Password - Password - file icon - TLS Authentication - Generated Config - General Settings - Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the VPNService API work. Requires root. - Fix ownership of /dev/tun - Shows the generated OpenVPN Configuration File - Editing \"%s\" - Building configuration… - Turning this option on will force a reconnect if the network state is changed (e.g. WiFi to/from mobile) - Reconnect on network change - Got certificate \'%s\' from Keystore - Network Status: %s - The CA cert is usually returned from the Android Keystore. Specify a separate certificate if you get certificate verification errors. - Select - No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. - Shows the log window on connect. The log window can always be accessed from the notification status. - Show log window - Keep the notification displayed after the connection is established to show traffic statistics. - Show Traffic Statistics - Running on %1$s (%2$s) %3$s, Android API %4$d - Error signing with Android keystore key %1$s: %2$s - The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumenvented. (On some images this unfortunely includes a notifciation sound) - Connection warning and notification sound - English translation by Arne Schwabe<arne@rfc2549.org> - IP and DNS - Basic - Routing - Obscure OpenVPN Settings. Normally not needed. - Advanced - ICS Openvpn Config - No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers - Could not add DNS Server \"%1$s\", rejected by the system: %2$s - <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file no with no extra pem/pks12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If there are error or warnings in the log try to understand the warnings/error and try to fix them</p> - Quick Start - Try to load the tun.ko kernel module before trying to connect. Needs rooted devices. - Load tun module - Import PKCS12 from configuration into Android Keystore - Error getting proxy settings: %s - Using proxy %1$s %2$d - Use system proxy - Use the system wide configuration for HTTP/HTTPS proxies to connect. - You can <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donate with PayPal</a> - OpenVPN will reconnect a VPN if it was active on system reboot/shutdown. Please read the Connection warning FAQ before using this option. - Reconnect on reboot - Ignore - Restart - Configuration changes are applied after restarting the VPN. (Re)start the VPN now? - Configuration changed - Could not determine last connected profile for editing - Duplicate notifications - If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. - No VPN profiles defined. - Use the <img src=\"ic_menu_add\"/> icon to add a new VPN - Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your sdcard. - Be sure to also check out the FAQ. There is a quick start guide. - Convert remote-tls format from OpenVPN 2.2 to 2.3 format - Routing/Interface Configuration - The Routing and interface configuration is not done via traditionell ifconfig/route command but by using the VPNService API. This results in a different routing configuration than on other OSes. The configuration only consists of the IP of the tunnel interface and the networks that should be routed over this interface. Especially no peer partner address or gateway address is needed. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel. Since only specifing networks to be routed via tunnel is supported extra routes not pointing to the tunnel cannot be supported either. (e.g. route x.x.x.x y.y.y.y net_gateway). The show information button in the log windows show the current configuration of the VPNService network configuration. - Do not fallback to no VPN connection when OpenVPN is reconnecting. - Persistent tun - Translation - OpenVPN Log - Import OpenVPN configuration - Battery consumption - In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunatly using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) - + + OpenVPN for Android + Server Address: + Server Port: + Location + Unable to read directory + Select + Cancel + No Data + LZO Compression + No Certificate + Client Certificate + Client Certificate Key + PKCS12 File + CA Certificate + You must select a certificate + Source code and issue tracker available at http://code.google.com/p/ics-openvpn/ + This program uses the following components; see the source code for full details on the licenses + About + About OpenVPN for Android + List of all configured VPNs + VPN Profiles + Type + PKCS12 Password + Select… + You must select a file + Use TLS Authentication + TLS Direction + Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64) + Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24) + IPv4 Address + IPv6 Address + Enter custom OpenVPN options. Use with caution. Also note that many of the tun related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is missing contact the author + Username + Password + For the static configuration the TLS Auth Keys will be used as static keys + Configure the VPN + Add Profile + Enter a name identifying the new Profile + Please enter a unique Profile Name + Profile Name + You must select a User certificate + No error found + Error in Configuration + Error parsing the IPv4 address + Error parsing the custom routes + (leave empty to query on demand) + OpenVPN Shortcut + Connect to VPN + Profile specified in shortcut not found + Random Host Prefix + Adds 6 random chars in front of hostname + Enable Custom Options + Specify custom options. Use with care! + Route rejected by Android + Disconnect + clear log + Cancel Confirmation + Disconnect the connected VPN/cancel the connection attempt? + Remove VPN + Checks whether the server uses a TLS Server Certificate + Except TLS Server + Checks the Remote Server Certificate CN against a string + Certificate Hostname Check + Enter the string against which the remote Server is checked. OpenVPN will use prefix matching. \"Server\" matches \"Server-1\" and \"Server-2\"\nLeave empty to check the CN against the server hostname. + Remote Hostname(CN) + Enables the TLS Key Authentication + TLS Auth File + Requests IP addresses, routes and timing options from the server. + No information is requested from the server. Settings need to be specified below. + Pull Settings + DNS + Override DNS Settings by Server + Use your own DNS Servers + searchDomain + DNS Server to be used. + DNS Server + Secondary DNS Server used if the normal DNS Server cannot be reached. + Backup DNS Server + Ignore pushed routes + Ignore routed pushed by the server. + Redirects all Traffic over the VPN + Use default Route + Enter custom routes. Only enter destination in CIDR format. \"10.0.0.0/8 2002::/16\" would direct the networks 10.0.0.0/8 and 2002::/16 over the VPN. + Custom Routes + Log verbosity level + Allows authenticated packets from any IP + Allow floating server + Custom Options + Edit VPN Settings + Remove the VPN Profile \'%s\'? + On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings + Failed to open the tun interface + "Error: " + Clear + info + Show connection details + Last interface configuration from OpenVPN: + Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d + DNS Server: %s + DNS Domain: %s + Routes: %s + Routes IPv6: %s + Got interface information %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". + Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as netmask. + Corrected route %1$s/%2$s to %3$s/%2$s + Cannot access the Android Keychain Certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. + %1$s %2$s + Send log file + Send + ICS OpenVPN log file + Copied log entry to clip board + Tap Mode + Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support + Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if it will be supported will not help. + A third time? Actually, one could write a a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. + FAQ + Frequently asked questions and some advice + Copying log entries + To copy a single log entry press and and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button if not visible in the GUI. + Shortcut to start + You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you have to add a shortcut or a widget. + Your image does not support the VPNService API, sorry :( + Encryption + Enter encryption method + Enter the cipher key for OpenVPN. Leave empty to use default cipher + Authentication/Encryption + File Explorer + Inline File + Import + Error importing File + Could not import File from filesystem + [[Inline file data]] + Refusing to open tun device without IP information + Import Profile from ovpn file + Import + Could not read Profile to import + Error reading config file + add Profile + Trying to read file: %1$s + Could not find file %1$s mentioned in the imported config file + Importing config file from source %1$s + Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options. The custom configuration is displayed below: + Done reading config file. + Do not bind to local address and port + No local binding + Import configuration file + Security considerations + "As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore." + Import + Error showing certificate selection + Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken + IPv4 + IPv6 + Waiting for state message… + imported profile + imported profile %d + Broken Images + <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">Issue 18</a> in the bug tracker.)</p><p>The official SONY images from Xperia arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. Other Sony images may be affected as well. (See also <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the fix ownership option under general settings.</p><p>Most important: If you have a broken image, report it to your vendor. The more people report the issue to the vendor the more likely you will get a fix.</p> + The username must not be empty. + PKCS12 File Encryption Key + Private Key Password + Password + file icon + TLS Authentication + Generated Config + General Settings + Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the VPNService API work. Requires root. + Fix ownership of /dev/tun + Shows the generated OpenVPN Configuration File + Editing \"%s\" + Building configuration… + Turning this option on will force a reconnect if the network state is changed (e.g. WiFi to/from mobile) + Reconnect on network change + Got certificate \'%s\' from Keystore + Network Status: %s + The CA cert is usually returned from the Android Keystore. Specify a separate certificate if you get certificate verification errors. + Select + No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. + Shows the log window on connect. The log window can always be accessed from the notification status. + Show log window + Keep the notification displayed after the connection is established to show traffic statistics. + Show Traffic Statistics + Running on %1$s (%2$s) %3$s, Android API %4$d + Error signing with Android keystore key %1$s: %2$s + The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumenvented. (On some images this unfortunely includes a notifciation sound) + Connection warning and notification sound + English translation by Arne Schwabe<arne@rfc2549.org> + IP and DNS + Basic + Routing + Obscure OpenVPN Settings. Normally not needed. + Advanced + ICS Openvpn Config + No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers + Could not add DNS Server \"%1$s\", rejected by the system: %2$s + <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file no with no extra pem/pks12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If there are error or warnings in the log try to understand the warnings/error and try to fix them</p> + Quick Start + Try to load the tun.ko kernel module before trying to connect. Needs rooted devices. + Load tun module + Import PKCS12 from configuration into Android Keystore + Error getting proxy settings: %s + Using proxy %1$s %2$d + Use system proxy + Use the system wide configuration for HTTP/HTTPS proxies to connect. + You can <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donate with PayPal</a> + OpenVPN will reconnect a VPN if it was active on system reboot/shutdown. Please read the Connection warning FAQ before using this option. + Reconnect on reboot + Ignore + Restart + Configuration changes are applied after restarting the VPN. (Re)start the VPN now? + Configuration changed + Could not determine last connected profile for editing + Duplicate notifications + If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. + No VPN profiles defined. + Use the <img src=\"ic_menu_add\"/> icon to add a new VPN + Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your sdcard. + Be sure to also check out the FAQ. There is a quick start guide. + Convert remote-tls format from OpenVPN 2.2 to 2.3 format + Routing/Interface Configuration + The Routing and interface configuration is not done via traditionell ifconfig/route command but by using the VPNService API. This results in a different routing configuration than on other OSes. The configuration only consists of the IP of the tunnel interface and the networks that should be routed over this interface. Especially no peer partner address or gateway address is needed. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel. Since only specifing networks to be routed via tunnel is supported extra routes not pointing to the tunnel cannot be supported either. (e.g. route x.x.x.x y.y.y.y net_gateway). The show information button in the log windows show the current configuration of the VPNService network configuration. + Do not fallback to no VPN connection when OpenVPN is reconnecting. + Persistent tun + Translation + OpenVPN Log + Import OpenVPN configuration + Battery consumption + In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunatly using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) + The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a> + VPN and Tethering + + \ No newline at end of file -- cgit v1.2.3 From 0d8fd9947881d4fd6271dee0251cd579b694754f Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 21:25:02 +0100 Subject: Fix swap --- AndroidManifest.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index 8e75f9fd..87fd8d75 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -27,9 +27,10 @@ - + -- cgit v1.2.3 From 29efcfc3453432a32d74811d55bb063a53be82a7 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 21:25:45 +0100 Subject: Added tag v0.5.25 for changeset 5f7744dd0698 --- .hgtags | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.hgtags b/.hgtags index d6169206..3dc621af 100644 --- a/.hgtags +++ b/.hgtags @@ -22,3 +22,5 @@ e1e9c63323ca53270bee1aed9cca2f6fa207bbfa v0.5.22 d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 24243dbbd2bdb0b4e3740e333eecd0c96a686f05 v0.5.24 0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 +0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 +5f7744dd06982bf173376fe5916566414b1c5bea v0.5.25 -- cgit v1.2.3 From a84d2bd237b17dca5227637471595050afe2a76e Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 15 Dec 2012 23:06:18 +0100 Subject: Let the user control the new connect-retry(-max) logic --- res/values/arrays.xml | 8 ++++++- res/values/strings.xml | 4 ++++ res/values/untranslatable.xml | 10 ++++++-- res/xml/vpn_obscure.xml | 14 +++++++++++ src/de/blinkt/openvpn/Settings_Obscure.java | 36 +++++++++++++++++++++++++++-- src/de/blinkt/openvpn/VpnProfile.java | 25 +++++++++++++++----- 6 files changed, 86 insertions(+), 11 deletions(-) diff --git a/res/values/arrays.xml b/res/values/arrays.xml index b88e975e..4af8f90f 100644 --- a/res/values/arrays.xml +++ b/res/values/arrays.xml @@ -24,5 +24,11 @@ 4 5 - Debug logging - + + No reconnection retries + One reconnection retry + Five reconnection retries + Fifty reconnection retries + Unlimited reconnection retries + diff --git a/res/values/strings.xml b/res/values/strings.xml index 74d05fb5..ff0c592c 100755 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -232,5 +232,9 @@ In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which translates to a keepalive packet from client to server and server to client every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunatly using a keepalive larger than 60 seconds with udp has problems with some NAT gateways which terminate the state for a connnection after a short timeout (60s in my tests). Using TCP with long keepalive timeout works but has the TCP over TCP problem. (See <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>) The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a> VPN and Tethering + Connection retries + Reconnection settings + Number of seconds to wait between connection attempts. + Seconds between connections \ No newline at end of file diff --git a/res/values/untranslatable.xml b/res/values/untranslatable.xml index cb5bea14..d5a30a03 100644 --- a/res/values/untranslatable.xml +++ b/res/values/untranslatable.xml @@ -31,5 +31,11 @@ 4 5 - - + + 1 + 2 + 5 + 50 + -1 + + diff --git a/res/xml/vpn_obscure.xml b/res/xml/vpn_obscure.xml index c99e039c..ecdd4e29 100644 --- a/res/xml/vpn_obscure.xml +++ b/res/xml/vpn_obscure.xml @@ -24,6 +24,20 @@ android:summary="@string/persisttun_summary" android:title="@string/persistent_tun_title" /> + + + + + Date: Sun, 16 Dec 2012 10:31:43 +0100 Subject: connect-retry fix --- openvpn/src/openvpn/options.c | 6 ------ openvpn/src/openvpn/options.h | 1 - 2 files changed, 7 deletions(-) diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 158e155f..6a618212 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -1859,11 +1859,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne /* * Sanity check on TCP mode options */ - - if (ce->connect_retry_defined && ce->proto != PROTO_TCP_CLIENT) - msg (M_USAGE, "--connect-retry doesn't make sense unless also used with " - "--proto tcp-client or tcp6-client"); - if (ce->connect_timeout_defined && ce->proto != PROTO_TCP_CLIENT) msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with " "--proto tcp-client or tcp6-client"); @@ -4397,7 +4392,6 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_retry_seconds = positive_atoi (p[1]); - options->ce.connect_retry_defined = true; } else if (streq (p[0], "connect-timeout") && p[1]) { diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index 62b1cbf3..91387845 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -97,7 +97,6 @@ struct connection_entry bool bind_defined; bool bind_local; int connect_retry_seconds; - bool connect_retry_defined; int connect_timeout; bool connect_timeout_defined; #ifdef ENABLE_HTTP_PROXY -- cgit v1.2.3 From a5c9cda1a3841d2988ec76c7241ea955c3d36f45 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 16 Dec 2012 10:39:29 +0100 Subject: Fix parsing of tcp6 and udp6. Also parse connect-retry(-max). (Closes issue #69) --- src/de/blinkt/openvpn/ConfigParser.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index 1098058f..826f3b62 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -353,10 +353,12 @@ public class ConfigParser { Vector proto = getOption("proto", 1,1); if(proto!=null){ - if(proto.get(1).equals("udp")) + if(proto.get(1).equals("udp") || proto.get(1).equals("udp6")) np.mUseUdp=true; else if (proto.get(1).equals("tcp-client") || - proto.get(1).equals("tcp")) + proto.get(1).equals("tcp") || + proto.get(1).equals("tcp6") || + proto.get(1).endsWith("tcp6-client")) np.mUseUdp=false; else throw new ConfigParseError("Unsupported option to --proto " + proto.get(1)); @@ -439,6 +441,15 @@ public class ConfigParser { if(getOption("persist-tun", 0,0) != null) np.mPersistTun=true; + Vector connectretry = getOption("connect-retry", 1, 1); + if(connectretry!=null) + np.mConnectRetry =connectretry.get(1); + + Vector connectretrymax = getOption("connect-retry-max", 1, 1); + if(connectretrymax!=null) + np.mConnectRetryMax =connectretrymax.get(1); + + Vector authuser = getOption("auth-user-pass",0,1); if(authuser !=null){ -- cgit v1.2.3 From 12d9d34ecb39f9c3976e8bcfecdfc4148cc89b46 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 16 Dec 2012 10:45:15 +0100 Subject: Update translations again, fix broken Italian string (closes issue #116) --- res/values-it/strings.xml | 3 +-- res/values-zh-rCN/strings.xml | 13 +++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/res/values-it/strings.xml b/res/values-it/strings.xml index ccd66dc6..f4f52397 100755 --- a/res/values-it/strings.xml +++ b/res/values-it/strings.xml @@ -92,7 +92,7 @@ Info Visualizza i dettagli della connessione Ultima configurazione interfaccia OpenVPN: - IPv4 locale: %1$s/%2$d IPv6: %3$ s MTU: %4$ d + IPv4 locale: %1$s/%2$d IPv6: %3$s MTU: %4$ d Server DNS: %s Dominio DNS: %s Rotte: %s @@ -174,5 +174,4 @@ Effettuata la lettura del file di configurazione Log di OpenVPN Importa configurazione OpenVPN Consumo della batteria - Nei miei test la causa principale per il consumo elevato della batteria di OpenVPN sono i pacchetti keepalive. La maggior parte dei server OpenVPN hanno una direttiva di configurazione tipo \' keepalive 10 60\', che si traduce in un pacchetto keepalive dal client al server e al client ogni dieci secondi. <p> Anche se questi pacchetti sono piccoli e non utilizzano drandi quantità di traffico, tengono occupata la rete radio mobile e aumentano il consumo di energia. <p> Non è possibile modificare il settaggio keepalive sul client. Solo l\'amministratore di sistema dell\'OpenVPN può modificare l\'impostazione. Purtroppo <p> utilizzando un keepalive maggiore di 60 secondi, udp ha problemi con alcuni gateway NAT che terminano lo stato per garantire una connessione dopo un timeout breve (60 secondi nei miei test). Utilizzare TCP keepalive lungo funziona, ma si crea un problema di TCP su TCP. (Vedere < un href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\" > perché TCP Over TCP è A Bad Ide </a>) diff --git a/res/values-zh-rCN/strings.xml b/res/values-zh-rCN/strings.xml index 34c1836d..9bf73221 100755 --- a/res/values-zh-rCN/strings.xml +++ b/res/values-zh-rCN/strings.xml @@ -59,6 +59,7 @@ 断开已连接的 VPN / 取消连接尝试? 删除 VPN 检查服务器是否使用 TLS 服务器证书 + 证书主机名检查 远程主机名 (CN) 启用 TLS 密钥认证 TLS 认证文件 @@ -73,6 +74,7 @@ 备用 DNS 服务器 忽略推送路由 忽略服务器推送的路由 + 重定向所有流量到VPN 使用默认路由 输入自定义路由。输入 CIDR 格式地址。 自定义路由 @@ -107,9 +109,11 @@ 输入 OpenVPN 密钥。留空以使用默认密码 认证/加密 文件浏览器 + 内联文件 导入 导入文件出错 无法导入文件系统文件 + [[内联文件数据]] 从 ovpn 文件中导入配置文件 导入 无法读取要导入的配置文件 @@ -120,6 +124,7 @@ 从 %1$s 中导入配置文件 读取配置文件完成 不关联到本地地址和端口 + 无本地绑定 导入配置文件 安全注意 导入 @@ -154,6 +159,7 @@ 路由设置 其他 OpenVPN 设置,一般不需要修改。 高级设置 + ICS Openvpn 配置 快速入门 尝试在连接之前加载 tun.ko 内核模块。需要 root 权限。 载入 tun 模块 @@ -165,6 +171,13 @@ 忽略 重启 配置已更改 + 重复的通知 + 没有定义 VPN 配置文件 + 使用 < img src =\"ic_menu_add\"/ > 图标以添加新的 VPN 当 OpenVPN 重连时,也一直使用 VPN 连接。 保持 tun 通道 + 翻译 + OpenVPN 日志 + 导入 OpenVPN 配置文件 + 电池消耗 -- cgit v1.2.3 From 4051b92ea061b3b187ad64c0f910d8631310ee65 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 16 Dec 2012 10:54:31 +0100 Subject: Increase version to 0.5.26 --- AndroidManifest.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index 87fd8d75..82162bb0 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -17,8 +17,8 @@ + android:versionCode="53" + android:versionName="0.5.26" > -- cgit v1.2.3 From cf2992c09e5739a80e111fe674e56bd3c2cc5617 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 16 Dec 2012 13:25:10 +0100 Subject: Added tag v0.5.26 for changeset 2c62077b8c3f --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index 3dc621af..dad861fb 100644 --- a/.hgtags +++ b/.hgtags @@ -24,3 +24,4 @@ d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 5f7744dd06982bf173376fe5916566414b1c5bea v0.5.25 +2c62077b8c3f05dc15c5b0ab2bff5d0e0bdcb734 v0.5.26 -- cgit v1.2.3 From 5326ce2bd67d7cb1992911c9c32e952c103a2531 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 16 Dec 2012 18:17:40 +0100 Subject: More Italien translation fixes --- AndroidManifest.xml | 4 ++-- res/values-it/strings.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index 82162bb0..a71ad54a 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -17,8 +17,8 @@ + android:versionCode="54" + android:versionName="0.5.26a" > diff --git a/res/values-it/strings.xml b/res/values-it/strings.xml index f4f52397..53e0814c 100755 --- a/res/values-it/strings.xml +++ b/res/values-it/strings.xml @@ -92,7 +92,7 @@ Info Visualizza i dettagli della connessione Ultima configurazione interfaccia OpenVPN: - IPv4 locale: %1$s/%2$d IPv6: %3$s MTU: %4$ d + IPv4 locale: %1$s/%2$d IPv6: %3$s MTU: %4$d Server DNS: %s Dominio DNS: %s Rotte: %s @@ -152,7 +152,7 @@ Effettuata la lettura del file di configurazione Configurazione generata Impostazioni generali Correggi i diritti su /dev/tun - Modifica \"% s\" + Modifica \"%s\" Configurazione dell\'edificio... Stato della rete: %s Selezionare -- cgit v1.2.3 From 5c75fc2eddc3692651c6fbfbd7c346b05e39d9a8 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 11:11:33 +0100 Subject: Fix proxy support --- openvpn/src/openvpn/init.c | 2 +- openvpn/src/openvpn/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index fe70dd57..6a1ed02d 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -137,7 +137,7 @@ management_callback_proxy_cmd (void *arg, const char **p) } ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); ho->server = string_alloc (p[2], gc); - ho->port = p[3]; + ho->port = string_alloc (p[3], gc); ho->retry = true; ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); ret = true; diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 2f929ef6..04a21357 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -1386,7 +1386,7 @@ link_socket_init_phase1 (struct link_socket *sock, /* are we running in HTTP proxy mode? */ else if (sock->http_proxy) { - ASSERT (sock->info.proto == PROTO_TCP_CLIENT && sock->info.af == AF_INET); + ASSERT (sock->info.proto == PROTO_TCP_CLIENT); ASSERT (!sock->inetd); /* the proxy server */ -- cgit v1.2.3 From 023e4fd6246431e7ad6e89ac1ae6ca8c1b34b0cc Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 22:34:44 +0100 Subject: More Dual Stack patch fixes --- openvpn/config.h | 2 +- openvpn/src/openvpn/options.c | 22 +++++++++++- openvpn/src/openvpn/socket.c | 83 ++++++++++++++++++++++++++++++++----------- openvpn/src/openvpn/socket.h | 15 +------- 4 files changed, 86 insertions(+), 36 deletions(-) diff --git a/openvpn/config.h b/openvpn/config.h index 510db135..be6733fb 100644 --- a/openvpn/config.h +++ b/openvpn/config.h @@ -450,7 +450,7 @@ #define PACKAGE_NAME "OpenVPN" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenVPN 2.3_rc1+dspatch1" +#define PACKAGE_STRING "OpenVPN 2.3_rc1+dspatch2" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "openvpn" diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 6a618212..64c81cf2 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -2488,6 +2488,13 @@ options_postprocess_mutate (struct options *o) *ace = ce; } } + else if(!o->remote_list && !o->connection_list) + { + struct connection_entry *ace; + ace = alloc_connection_entry (o, M_USAGE); + ASSERT (ace); + *ace = o->ce; + } ASSERT (o->connection_list); int i; @@ -2885,7 +2892,11 @@ options_string (const struct options *o, buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame)); buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame)); buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote)); - if (o->tun_ipv6) + + /* send tun_ipv6 only in peer2peer mode - in client/server mode, it + * is usually pushed by the server, triggering a non-helpful warning + */ + if (o->tun_ipv6 && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) buf_printf (&out, ",tun-ipv6"); /* @@ -3065,6 +3076,15 @@ options_warning_safe_scan2 (const int msglevel, const char *b1_name, const char *b2_name) { + /* we will stop sending 'proto xxx' in OCC in a future version + * (because it's not useful), and to reduce questions when + * interoperating, we start not-printing a warning about it today + */ + if (strncmp(p1, "proto ", 6) == 0 ) + { + return; + } + if (strlen (p1) > 0) { struct gc_arena gc = gc_new (); diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 04a21357..29a15a63 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -234,18 +234,20 @@ openvpn_getaddrinfo (unsigned int flags, get_signal (signal_received); if (*signal_received) /* were we interrupted by a signal? */ { - if (0 == status) { - ASSERT(res); - freeaddrinfo(*res); - res = NULL; - } if (*signal_received == SIGUSR1) /* ignore SIGUSR1 */ { msg (level, "RESOLVE: Ignored SIGUSR1 signal received during DNS resolution attempt"); *signal_received = 0; } else - goto done; + { + if (0 == status) { + ASSERT(res); + freeaddrinfo(*res); + res = NULL; + } + goto done; + } } } @@ -674,7 +676,7 @@ create_socket (struct link_socket *sock) #ifdef ENABLE_SOCKS if (sock->socks_proxy) - sock->ctrl_sd = create_socket_tcp (AF_INET); + sock->ctrl_sd = create_socket_tcp (ai_family); #endif } else if (ai_proto == IPPROTO_TCP) @@ -685,6 +687,12 @@ create_socket (struct link_socket *sock) { ASSERT (0); } + /* set socket buffers based on --sndbuf and --rcvbuf options */ + socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); + + /* set socket to --mark packets with given value */ + socket_set_mark (sock->sd, sock->mark); + #ifdef TARGET_ANDROID struct user_pass up; strcpy(up.username ,__func__); @@ -895,7 +903,8 @@ socket_bind (socket_descriptor_t sd, break; } if (!cur) - msg (M_FATAL, "%s: Socket bind failed: No addr to bind has no v4/v6 record", prefix); + msg (M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", + prefix, addr_family_name(ai_family)); if (bind (sd, cur->ai_addr, cur->ai_addrlen)) { @@ -1143,7 +1152,7 @@ static void bind_local (struct link_socket *sock) if (sock->bind_local) { #ifdef ENABLE_SOCKS - if (sock->socks_proxy && sock->info.proto == PROTO_UDP && sock->info.af == AF_INET) + if (sock->socks_proxy && sock->info.proto == PROTO_UDP) socket_bind (sock->ctrl_sd, sock->info.lsa->bind_local, sock->info.lsa->actual.ai_family, "SOCKS"); else @@ -1280,23 +1289,34 @@ link_socket_new (void) } void -create_new_socket (struct link_socket* sock, int mark) +create_new_socket (struct link_socket* sock) { if (sock->bind_local) { resolve_bind_local (sock, sock->info.af); } resolve_remote (sock, 1, NULL, NULL); - create_socket (sock); - - /* set socket buffers based on --sndbuf and --rcvbuf options */ - socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); + /* + * In P2P or server mode we must create the socket even when resolving + * the remote site fails/is not specified. */ - /* set socket to --mark packets with given value */ - socket_set_mark (sock->sd, mark); - - if (sock->bind_local) - bind_local(sock); + if (sock->info.af && sock->info.lsa->actual.ai_family==0 && sock->bind_local) + { + /* Copy sock parameters from bind addr */ + set_actual_address (&sock->info.lsa->actual, sock->info.lsa->bind_local); + /* clear destination set by set_actual_address */ + CLEAR(sock->info.lsa->actual.dest); + } + /* + * Create the socket early if socket should be bound + */ + if (sock->bind_local && sock->info.lsa->actual.ai_family) + { + create_socket (sock); + + if (sock->bind_local) + bind_local(sock); + } } @@ -1363,6 +1383,7 @@ link_socket_init_phase1 (struct link_socket *sock, sock->socket_buffer_sizes.sndbuf = sndbuf; sock->sockflags = sockflags; + sock->mark = mark; sock->info.proto = proto; sock->info.af = af; @@ -1438,7 +1459,7 @@ link_socket_init_phase1 (struct link_socket *sock, } else if (mode != LS_MODE_TCP_ACCEPT_FROM) { - create_new_socket (sock, mark); + create_new_socket (sock); } } @@ -1712,8 +1733,28 @@ link_socket_init_phase2 (struct link_socket *sock, } else { + /* Second chance to resolv/create socket */ resolve_remote (sock, 2, &remote_dynamic, &sig_info->signal_received); + + /* If socket has not already been created create it now */ + if (sock->sd == SOCKET_UNDEFINED) + { + if (sock->info.lsa->actual.ai_family) + { + create_socket (sock); + } + else + { + msg (M_WARN, "Could not determine IPv4/IPv6 protocol"); + sig_info->signal_received = SIGUSR1; + goto done; + } + + if (sock->bind_local) + bind_local(sock); + } + if (sig_info && sig_info->signal_received) goto done; @@ -2167,6 +2208,8 @@ print_sockaddr_ex (const struct sockaddr *sa, salen = sizeof (struct sockaddr_in6); addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6*) sa)->sin6_addr); break; + case AF_UNSPEC: + return "[AF_UNSPEC]"; default: ASSERT(0); } diff --git a/openvpn/src/openvpn/socket.h b/openvpn/src/openvpn/socket.h index 33a59f0f..b30a1bc7 100644 --- a/openvpn/src/openvpn/socket.h +++ b/openvpn/src/openvpn/socket.h @@ -215,6 +215,7 @@ struct link_socket # define SF_HOST_RANDOMIZE (1<<3) # define SF_GETADDRINFO_DGRAM (1<<4) unsigned int sockflags; + int mark; /* for stream sockets */ struct stream_buf stream_buf; @@ -651,20 +652,6 @@ addrlist_match (const struct openvpn_sockaddr *a1, const struct addrinfo *addrli return false; } -static inline in_addr_t -addr_host (const struct openvpn_sockaddr *addr) -{ - /* - * "public" addr returned is checked against ifconfig for - * possible clash: non sense for now given - * that we do ifconfig only IPv4 - */ - if(addr->addr.sa.sa_family != AF_INET) - return 0; - return ntohl (addr->addr.in4.sin_addr.s_addr); -} - - static inline bool addrlist_port_match (const struct openvpn_sockaddr *a1, const struct addrinfo *a2) { -- cgit v1.2.3 From f66243219ef075b5d50ea1bf8af4af6dda4f4db3 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 22:38:07 +0100 Subject: Update translations --- res/values-fr/strings.xml | 4 +- res/values-it/arrays.xml | 2 +- res/values-it/strings.xml | 110 +++++++++++++++++++++++++++++++++++----------- res/values-ja/strings.xml | 53 +++++++++++----------- 4 files changed, 115 insertions(+), 54 deletions(-) diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml index 085f7486..65132174 100755 --- a/res/values-fr/strings.xml +++ b/res/values-fr/strings.xml @@ -230,5 +230,7 @@ Sur certaines images, cette notification joue un son.\nAndroid à introduit ces Log OpenVPN "Importer une configuration OpenVPN" "Consommation de la batterie" - "Lors de mes tests d\'OpenVPN, la source de principale de consommation de la batterie est l\'émission des paquets de servant à maintenir la connexion active (keepalive). La plupart des serveurs OpenVPN utilisent la directive \'keepalive 10 60\' ce qui signifie que des packets de keepalive sont envoyés toutes les 10 secondes du client au serveur et vice-versa, et que la connexion sera redemmarée après 60s en cas d\'inactivité. <>Bien que le trafic généré soit faible, ces paquets maintiennent le module radio actif et augmentent la consommation d\'énergie. <p> Malheureusement, la configuration du keepalive ne peut pas être changé sur le client, seul l\'administrateur du réseau OpenVPN peut le faire. En effet, utiliser une période de keepalive supérieure à 60 secondes pose problème pour les réseaux UDP et les passerelles NAT qui ferment alors la connexion (mes tests ont mis en évidence un timeout de 60s). L\'usage de TCP et d\'une plus longue periode de keepalive est possible mais présente les inconvénient lié aux connexion TCP encapsulées (cf., site en anglais: <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>)" + "Lors de mes tests d\'OpenVPN, la source de principale de consommation de la batterie est l\'émission des paquets de servant à maintenir la connexion active (keepalive). La plupart des serveurs OpenVPN utilisent la directive \'keepalive 10 60\' ce qui signifie que des packets de keepalive sont envoyés toutes les 10 secondes du client au serveur et vice-versa, et que la connexion sera redemmarée après 60s en cas d\'inactivité. lt;gt;Bien que le trafic généré soit faible, ces paquets maintiennent le module radio actif et augmentent la consommation d\'énergie. lt;pgt; Malheureusement, la configuration du keepalive ne peut pas être changé sur le client, seul l\'administrateur du réseau OpenVPN peut le faire. En effet, utiliser une période de keepalive supérieure à 60 secondes pose problème pour les réseaux UDP et les passerelles NAT qui ferment alors la connexion (mes tests ont mis en évidence un timeout de 60s). L\'usage de TCP et d\'une plus longue periode de keepalive est possible mais présente les inconvénient lié aux connexion TCP encapsulées (cf., site en anglais: lt;a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\"gt;Why TCP Over TCP Is A Bad Idelt;/agt;)" + La fonctionnalité de Tethering Android (sur WiFi, USB ou Bluetooth) et l\'API VPNService (utilisé par ce programme) ne fonctionnent pas ensemble. Pour plus de détails, voir la <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\" > page #34 </a> + VPN et Tethering diff --git a/res/values-it/arrays.xml b/res/values-it/arrays.xml index 551ac746..54ff474c 100755 --- a/res/values-it/arrays.xml +++ b/res/values-it/arrays.xml @@ -18,7 +18,7 @@ Log disattivato - Log default + Default log Log più dettagliato 3 4 diff --git a/res/values-it/strings.xml b/res/values-it/strings.xml index 53e0814c..e34665b2 100755 --- a/res/values-it/strings.xml +++ b/res/values-it/strings.xml @@ -16,8 +16,8 @@ File PKCS12 Certificato CA Nessuna selezione - Codice sorgente ed elenco dei rilasci disponibile su - Il programma utilizza i seguenti componenti. Fare riferimento alle relative fonti per tutti i dettagli relativi alle licenze + Il codice sorgente e il bug tracker sono disponibili all\'indirizzo http://code.google.com/p/ics-openvpn/ + Il programma utilizza i seguenti componenti. Fare riferimento al sorgente per tutti i dettagli relativi alle licenze Informazioni Informazioni su OpenVPN per Android Elenco connessioni VPN configurate @@ -28,8 +28,8 @@ Nulla selezionato Usa autenticazione TLS Direzione TLS - Inserire l\'indirizzo IPv6/maschera di rete in formato CIDR (ad esempio 2000:dd::23/64) - Inserire l\'indirizzo IPv4/maschera di rete in formato CIDR (ad esempio 1.2.3.4/24) + Inserire l\'indirizzo IPv6 e la maschera di rete in formato CIDR (ad esempio 2000:dd::23/64) + Inserire l\'indirizzo IPv4 e la maschera di rete in formato CIDR (ad esempio 1.2.3.4/24) Indirizzo IPv4 Indirizzo IPv6 Inserire le opzioni personalizzate di OpenVPN. Utilizzare con attenzione. Si ricorda che molte delle impostazioni relative a OpenVPN non sono attualmente supportate da progetto. Se pensate che qualcuna di queste sia indispensabile, contattare l\'autore @@ -46,28 +46,31 @@ Errore nella configurazione Impossibile analizzare l\'indirizzo IPv4 Non è possibile analizzare le informazioni di routing personalizzate - Lasciare vuoto per eseguire una interrogazione a richiesta + Lasciare vuoto perché venga richiesta ad ogni avvio Collegamento a OpenVPN - Connesso alla VPN + Connetti alla VPN Profilo indicato nel collegamento non trovato - Host prefix casuale + Prefisso Host casuale Aggiunge 6 caratteri casuali prima dell\'hostname Abilita le opzioni personalizzate Specifica opzioni personalizzate. Utilizzare con cautela! - \"Rotta\" rifiutata da Android + \"Reindirizzamento (route)\" rifiutato da Android Scollega Cancella registro Annulla conferma - Scollegare la VPN collegata o annullare il tentativo di connessione? + Disconnetti la VPN in uso/annulla il tentativo di connessione? Rimuovi VPN Controlla se il server utilizza un certificato Server TLS Ad eccezione del server TLS - Controlla il certificato del server remoto confrontandolo con una stringa + Controlla il certificato del server remoto CN confrontandolo con una stringa Verifica il certificato dell\'Host + Inserisci una stringa con cui controllare il server remoto. OpenVPN controllerà che il prefisso corrissponda. Ad esempio \"Server\" riconosce validi \"Server-1\" e \"Server-2\".\nLasciare vuoto se si desidera controllare il nome dell\'host remoto CN con il nome del server. + Nome dell\'host remoto (CN) Abilita l\'autenticazione tramite TLS File di autenticazione TLS Richiede indirizzi IP, instradamenti r opzioni di sincronizzazione dal server. Nessuna informazione è chiesta al server. Le impostazioni devono essere specificate di seguito. + Richiedi impostazioni DNS Sovrascrive le impostazioni DNS del server Utilizzare il proprio server DNS @@ -77,11 +80,14 @@ Server DNS secondario utilizzato se il Server DNS primario non può essere raggiunto. Server DNS secondario Ignora gli instradamenti dati dal server + Ignora impostazioni di routing comunicate dal server. Reindirizza tutto il traffico sulla VPN Utilizza il Routing di default + Inserisci instradamenti personalizzati. Usare il formato CIDR. \"10.0.0.0/8 2002::/16\" reindirizza le reti 10.0.0.0/8 e 2002::/16 sulla VPN. Rotte personalizzate Livello di dettaglio del registro Permette pacchetti autenticati da qualsiasi IP + Consenti che il server possa cambiare indirizzo IP (modalità float) Opzioni personalizzate Modifica impostazioni VPN Rimuovere il profilo VPN %s? @@ -92,86 +98,140 @@ Info Visualizza i dettagli della connessione Ultima configurazione interfaccia OpenVPN: - IPv4 locale: %1$s/%2$d IPv6: %3$s MTU: %4$d + Indirizzi locali - IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d Server DNS: %s Dominio DNS: %s - Rotte: %s - Rotte IPv6: %s - %1$s%2$s - Inviare il file di log + Instradamenti (route): %s + Instradamenti (route) IPv6: %s + Ottenute le informazioni sulle interfacce %1$s e %2$s, assumendo che il secondo indirizzo sia il peer remoto. Utilizzata la maschera /32 per l\'IP locale. La modalità impostata da OpenVPN è \"%3$s\". + Impossibile utilizzare %1$s e %2$s come reindirizzamenti IP con la maschera CIDR, è stata quindi usata la maschera /32. + Instradamento %1$s/%2$s corretto con %3$s/%2$s + Impossibile accedere ai certificati della Keychain di Android (può essere causato da un aggiornamento del firmware o dal ripristino di un backup dell\'applicazione o delle sue impostazioni). E\' necessario modificare le impostazioni della VPN e riselezionare il certificato nelle impostazioni di base per ricreare i permessi di accesso al certificato. + %1$s %2$s + Invia il file di log Invia File log di OpenVPN ICS Voce di registro copiata negli appunti Modalità TAP La modalità TAP non è disponibile con le VPN API non root Ancora? Stai scherzando? La modalità TAP non è realmente supportata ed inviare ulteriori richieste via mail di sicuro non aiuta! - Per la terza volta?In realtà si potrebbe scrivere un emulatore TAP basato su TUN che aggiunge le informazioni di Layer 2 in uscita e le elimina in ingresso. Ma questo emulatore TAP dovrebbe anche implementare ARP e un client DHCP. Non sono a conoscenza di nessuno che stia realizzando qualcosa del genere. Contattami se vuoi iniziare a scrivere del codice a riguardo. - Domande frequenti + Per la terza volta? In realtà si potrebbe scrivere un emulatore TAP basato su TUN che aggiunge le informazioni di Layer 2 in uscita e le elimina in ingresso. Ma questo emulatore TAP dovrebbe anche implementare ARP e un client DHCP. Non sono a conoscenza di nessuno che stia realizzando qualcosa del genere. Contattami se vuoi iniziare a scrivere del codice a riguardo. + Domande frequenti (FAQ) Domande più frequenti e qualche consiglio - Copia le voci di log + Sto copiando le voci di log Per copiare una singola voce del log, premi e mantieni sulla voce del log. Per copiare/inviare l\'intero log usa l\'opzione \"Manda log\". Usa il tasto hardware Menù se non è visibile nella GUI. - Scelta rapida per avviare + Scorciatoia per l\'avvio È possibile inserire un collegamento per avviare OpenVPN sul desktop. A seconda del vostro launcher dovrete aggiungere un collegamento o un widget. La tua immagine non supporta le API VPNService, mi dispiace :( - Codifica + Crittografia Inserire il metodo di crittografia Inserisci la chiave di cifratura per OpenVPN. Lascia vuoto per usare la chiave di cifratura predefinita Autenticazione/crittografia Esplora risorse + Blocco note Importa - Errore durante l\'importazione di File + Errore durante l\'importazione del file Impossibile importare il file dal filesystem - importa il profilo dal file .ovpn + [[dati del blocco note]] + Rifiuto di attivare il dispositivo tun senza informazioni sull\'IP + Importa il profilo dal file .ovpn Importa Impossibile leggere il profilo da importare Errore di lettura del file di configurazione Aggiungi profilo - Provando a leggere il file: %1$s + Tentativo di lettura del file: %1$s Impossibile trovare il file %1$s menzionato nel file di configurazione importato - Importa il file di configurazione da fonte %1$s + Importa il file di configurazione dalla sorgente %1$s La tua configurazione ha avuto alcune opzioni che potevano essere analizzate. Queste opzioni sono state aggiunte come opzioni di configurazione aggiuntive. Le opzioni di configurazione aggiuntive sono visionabili qui sotto: Effettuata la lettura del file di configurazione + Non legarti all\'indirizzo e alla porta locali (bind) + No local binding Importa file di configurazione Considerazioni sulla sicurezza + "Dato che si usa OpenVPN per motivi di sicurezza, si riportano alcune note su quanto la sicurezza sia sensibile. Tutti i dati memorizzati sulla scheda SD sono intrinsecamente insicuri. Qualunque programma può leggerli (ad esempio a questo programma non sono richiesti speciali diritti per accedere alla scheda SD). I dati di questo programma invece possono essere letti solo dal programma stesso. Utilizzando l\'opzione di importazione di cacert/cert/key nelle impostazioni, i dati vengono memorizzati nel profilo della VPN. I profili delle VPN sono accessibili solo da questo programma (non bisogna però dimenticarsi di eliminare le copie dei certificati sulla scheda SD dopo questa operazione). Tuttavia anche se accessibili solamente da questo programma, i dati vengono memorizzati senza alcuna crittografia. E\' possibile pertanto mediante rooting o altre procedure recuperare tali dati. Anche le password salvate vengono memorizzate in chiaro. Si raccomanda caldamente di importare i file pkcs12 nel keystore di Android." Importa Errore nel mostrare il certificato selezionato - Incappato in una eccezione provando a mostrare la finestra di selezione dei certificati di Android 4.0+. Questo non dovrebbe mai accadere poiché questa è una feature standard di Android 4.0+. Forse si è corrotto il supporto per la conservazione dei certificati della tua ROM di Android + Si è incappati in una eccezione tentando di visualizzare la finestra di selezione dei certificati di Android 4.0+. Questo non dovrebbe mai accadere dato che questa è una caratteristica standard di Android 4.0+. Forse il supporto al salvataggio dei certificati del tuo firmware di Android è corrotto. IPv4 IPv6 In attesa del messaggio di stato... profilo importato profilo importato %d Immagini danneggiate + <p>E\' risaputo che i firmware ufficiali dell\'HTC presentano uno strano problema sull\'indirizzamento impedendo al traffico di passare attraverso il tunnel (vedi anche <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=18\">il problema n.18</a> +nel bug tracker).</p><p>Si è visto che ai firmware ufficiali della SONY per Xperia arc S ed Xperia Ray manca completamente il serivizio VPN. Anche altri firmware Sony potrebbero presentare lo stesso inconveniente (vedi anche <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=29\">il problema n.29</a> nel bug tracker).</p><p>Nei firmware personalizzati dagli utenti il modulo tun potrebbe essere stato rimosso o possono essere sbagliate le autorizzazioni per /dev/tun. Alcuni firmware per CM9 richiedono che venga selezionata nelle impostazioni generali l\'opzione per correggere i proprietari.</p><p>E\' molto importante che, nel caso abbiate un firmware che non funziona, lo segnaliate al costruttore. Maggiori sono le persone che segnalano il problema al costruttore, maggiore è la probabilità che il problema venga risolto.</p> L\'username non deve essere vuoto. + File con la chiave di crittografia PKCS12 Password della chiave privata Password icona del file Autenticazione TLS Configurazione generata Impostazioni generali + Tenta di impostare system come proprietario di /dev/tun. Alcune immaggini CM9 necessitano di questa impostazione affinché le API del servizio VPN funzionino. E\' necessario essere root. Correggi i diritti su /dev/tun + Mostra il file di configurazione di OpenVPN generato Modifica \"%s\" Configurazione dell\'edificio... + Selezionando questa opzione verrà forzata una riconnessione se lo stato della rete cambia (da WIFI a cellulare e viceversa) + Riconnetti in caso cambi la rete + Ottenuto il certificato \'%s\' dal Keystore Stato della rete: %s + Il certificato della CA è solitamente prelevato dal Keystore di Android. Indica un certificato differente se si generano errori di verifica del certificato. Selezionare + Nessun certificato della CA è stato prelevato dal Keystore di Android. E\' probabile che l\'autenticazione fallisca. + Mostra la finestra dei log della connessione. Si può sempre accedere alla finestra dei log tramite la barra delle notifiche. Visualizza la finestra dei log + Continua a mostrare le notifiche, dopo che la connessione è stata stabilita, per vedere le statistiche sul traffico. Visualizza le statistiche sul traffico + In esecuzione su %1$s (%2$s) %3$s, Android API %4$d + Errore di firma con la chiave %1$s: %2$s del Keystore di Android. + L\'avverimento durante la connessione VPN, in cui si informa che questo programma può intercettare tutto il traffico del sistema, serve a prevenire un uso fraudolento delle API del servizio VPN.\nL\'icona di notifica a forma di chiave è altresì imposta dal sistema Android per avvertire che si è connessi ad una VPN. Su alcuni apparecchi questa notifica è accompagnata da un suono.\nAndroid utilizza questi sistemi per la tua sicurezza e per assicurarsi che questi non vengano aggirati (in alcuni firmware questo sfortunamente è accompagnato da un suono di avvertimento). Avviso di connessione e notifica audio + Traduzione in inglese di Arne Schwabe<arne@rfc2549.org> IP e DNS Base Instradamento (routing) + Offusca le impostazioni di OpenVPN. Normalmente non necessario. Avanzate Configurazione OpenVPN ICS + Nessun server DNS in uso. La risoluzione dei nomi potrebbe non funzionare. Valuta se inserire dei server DNS personalizzati. + Impossibile aggiungere il server DNS \"%1$s\", respinto dal sistema: %2$s + <p>Ottieni una configurazione funzionante (testata sul tuo computer o fornita dal tuo provider o dalla tua ditta)</p><p>Se si tratta di un singolo file senza ulteriori file tipo pem/pkcs12 puoi spedire il file a te stesso via email ad aprire l\'allegato. Se hai più file, salvali sulla scheda SD.</p><p>Clicca sull\'allegato dell\'email/Utilizza l\'icona della cartella nell\'elendo delle VPN per importare il file di configurazione</p><p>Se compaiono degli errori relativi a file non trovati, metti i file mancanti sulla tua scheda SD.</p><p>Clicca sull\'icona di salvataggio per aggiungere la VPN importata nell\'elenco delle tue VPN</p><p>Connettiti alla VPN cliccando sul nome della VPN</p><p>Se compaiono degli errori o degli avvertimenti nei log, si consiglia di non ignorarli, ma di cercare delle soluzioni</p> Avvio rapido Prova a caricare il modulo tun.ko prima di connettersi. Si devono avere diritti di root sul dispositivo. + Carica il modulo tun + Importa i PKCS12 dalla configurazione presente nel Keystore di Android + Errore nell\'ottenere le impostazioni del proxy: %s + Si sta utilizzando il proxy %1$s %2$d + Utilizza il proxy di sistema + Utilizza la configurazione generale del sistema relativa ai proxy HTTP/HTTPS per connettersi. + Puoi <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donare tramite PayPal</a> + OpenVPN is riconnetterà alla VPN se era in funzione durante un riavvio od un spegnimento dell\'apparecchio. Leggi con attenzione le FAQ con gli avvertimenti sulla connessione prima di scegliere questa opzione. + Riconnetti al riavvio Ignora Riavvia Le modifiche sarannoi applicate dopo aver riavviato la connessione VPN. Riavviare ora la connessione? Configurazione modificata + Impossibile determinare l\'ultimo profilo con cui ci si è connessi per poterlo modificare + Duplica le notifiche + Normalmente se la memoria di sistema (RAM) di Android è insufficiente, i programmi ed i servizi che non sono in quel momento necessari vengono rimossi dalla memoria attiva. Questo terminerebbe una connessione VPN in corso. Per far sì che conessione OpenVPN resti in funzione, il servizio viene eseguito in priorità alta e per questo deve mostrare un\'icona nella barra delle notifiche. L\'icona di notifica è imposta dal sistema come descritto nella precedente voce delle FAQ. Non vale però come notifica del programma per lo scopo di venire eseguita con priorità alta. + Nessun profilo VPN definito. + Usa l\'icona <img src=\"ic_menu_add\"/> per aggiungere una nuova VPN + Usa l\'icona <img src=\"ic_menu_archive\"/> per importare il profilo (.ovpn o .conf) dalla tua scheda SD. + Si raccomanda di leggere anche le FAQ. C\'è anche una guida rapida. + Converti il formato di remote-tls da quello di OpenVPN 2.2 a quello della 2.3 + Configurazione dei reindirizzamenti e dell\'interfaccia + Le configurazioni di instradamento e dell\'interfaccia non vengono eseguite tramite i tradizionali comandi ifconfig e route ma utilizzando le API del servizio VPN. Questa comporta differenti configurazioni di instradamento rispetto ad altri sistemi operativi. In particolare non sono richiesti gli indirizzi del partner peer o del gateway. Non sono nemmeno richiesti instradamenti particolari per raggiungere il server VPN, ad esempio quando si utilizza un gateway di reindirizzamento. Il programma ignora pertanto queste impostazioni quando viene importata una configurazione. Il programma inoltra si assicura tramite le API del servizio VPN che la connessione col server non sia indirizzata attraverso il tunnel della VPN. Dal momento che solo le reti che esplicitamente vengono reindirizzate attraverso il tunnel sono supportate, non sono supportate ulteriori reti che non puntano verso il tunnel, come ad esempio quelle realizzate col comando route x.x.x.x y.y.y.y net_gateway. Il pulsante \"Mostra informazioni\" nella finestra dei log mostra la configurazione dell\'attuale rete VPN. + Non tornare nello stato di \"Nessuna connessione VPN\" quando OpenVPN sta eseguendo un tentativo di riconnessione. + tun persistente Traduzione Log di OpenVPN Importa configurazione OpenVPN Consumo della batteria + Nei test eseguiti da me in persona, la causa principale di un elevato consumo di batteria durante il funzionamento di OpenVPN erano i pacchetti per il mantenimento della connessione (keepalive packets). La maggior parte dei server OpenVPN sono configurati con l\'impostazione \'keepalive 10 60\' che corrisponde ad un pacchetto per il mantenimento della connessione dal client al server e dal server al client ogni 10 secondi. <p> Nonostante questi pacchetti siano piccoli e non causino molto traffico, questi tengono impegnata la rete cellulare ed aumentano il consumo della batteria. <p> Questa impostazione del keepalive non può essere impostata sul client. Solo l\'amministratore di sistema della rete OpenVPN a cui ci si vuole connettere può modificare questa impostazione. <p> Sfortunatamente, se si usa un keepalive maggiore di 60 secondi con reti OpenVPN in UDP, si riscontrano dei problemi con alcuni gateway NAT, i quali terminano la connessione dopo dei timeout relativamente brevi (60 secondi nei miei test). Se invece si usa un keepalive maggiore con una VPN in TCP, questo problema non si presenta, ma bisogna fare i conti col problema del TCP over TCP (vedi <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>). + Il Tethering di Android (via WiFi, USB o Bluetooth) e le API del servizio VPN (utilizzate da questo programma) non possono funzionare contemporaneamente. Per maggiori informazioni, <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">vedi qui#34</a> + VPN e Tethering diff --git a/res/values-ja/strings.xml b/res/values-ja/strings.xml index ff747efa..7bcdd61c 100755 --- a/res/values-ja/strings.xml +++ b/res/values-ja/strings.xml @@ -26,7 +26,7 @@ PKCS12のパスワード 選択 選択なし - TLS認証を使用する + TLS認証を使用します。 TLS Direction IPv6アドレスをCIDR形式で入力(例:2000:dd::23/64) IPv4アドレスをCIDR形式で入力(例:1.2.3.4/24) @@ -52,7 +52,7 @@ ショートカットで指定されたプロファイルが見つかりません ランダムなホスト プレフィックス ランダムな6文字をホスト名の前に付加します。 - カスタム オプションを有効にします。 + カスタム オプションを使用する カスタムオプションを指定します。注意を要します。 経路がAndroidにより拒否されました。 切断 @@ -62,14 +62,14 @@ VPN を削除 サーバがTLSサーバ証明書を使用する場合はチェックします。 TLS サーバーを除く - リモートサーバの証明書のCNをチェックする + リモートサーバの証明書のCNをチェックします。 証明書のホスト名を確認する リモートサーバをチェックする際の文字列を指定します。OpenVPNでは前方一致を行います。\"Server\"は\"Server-1\"と\"Server-2\"にマッチします。\n 空欄にすると、CNとサーバのホスト名を比較します。 リモートホスト名(CN) TLS鍵認証を有効にする TLS 認証ファイル - IPアドレス、経路情報、DNSなどの情報をサーバから取得 + IPアドレス、経路情報、DNSなどの情報をサーバから取得します。 サーバからは何も情報が取得できません。指定が必要な設定は以下の通りです。 情報取得の設定 DNS @@ -81,13 +81,13 @@ セカンダリDNSサーバーは、プライマリDNSサーバーに到達できない場合に使用します。 セカンダリDNSサーバー サーバ側指定の経路情報を無視する - - すべての通信をVPN経由にする - 既定の経路を使用 + サーバからプッシュされた経路情報を無視します。 + すべての通信をVPN経由にします + 既定の経路に使用 カスタム経路を入力します。宛先のみをCIDR形式で指定します。例えば \"10.0.0.0/8 2002::/16\"と指定すれば10.0.0.0/8と2002::/16への通信はVPNに向けられます。 カスタム経路情報 ログの詳細度 - 認証済みパケットをどのIPからでも受け付ける + 認証済みパケットをどのIPからでも受け付けます。 フローティング サーバーを許可 カスタム オプション VPN 設定の編集 @@ -115,12 +115,12 @@ クリップ ボードにコピーされたログ エントリ TAPモード TAPモードは非root化環境では動作しません。よってこのアプリケーションではTAPをサポートできません。 - まだ試しますか?TAPモードはサポートされていませんし、サポートされるかどうかメールを送ることは何の役にも立ちません。 + またですか?TAPモードはサポートされていませんし、サポートされるかどうかメールを送ることは何の役にも立ちません。 3回目です。本当のところ、TUN上で動くレイヤ2エミュレータを書くことはできました。(送信時の情報追加と受信時の情報削除で)。しかしこのエミュレータはARPやおそらくはDHCPをも実装しなければならないでしょう。誰もこのことに気がついていません。もしあなたがこの機能を作る気になったのであれば、どうぞ私に連絡してください。 よくある質問 よくある質問といくつかのアドバイス - ログ エントリをコピーします。 + ログ エントリのコピー 1行のログエントリをコピーするには、そのエントリをタッチし続けます。コピー/送信するには「ログエントリを送信」を使用します。GUIで表示されない場合はハードウェアのメニューボタンを使用してください。 起動ショートカット OpenVPNを起動するためのショートカットをデスクトップに配置できます。ショートカットやウィジェットを配置できるかどうかはホームスクリーンプログラムに依存します。 @@ -179,11 +179,11 @@ SDカード上のデータは本質的に無防備です。すべてのアプリ 生成された構成 全般設定 システムに/dev/tunの所有者を設定します。いくつかのCM9のイメージでVPNService APIを動作させるために必要です。root権限が必要です。 - /dev/tun の所有権を修正します。 + /dev/tun の所有権を修正 生成された OpenVPN の構成ファイルを表示します \"%S\"の編集 構成中・・・ - この設定を有効にすると、ネットワークの状態変化時(WiFi/モバイル)に再接続を行います + この設定を有効にすると、ネットワークの状態変化時(WiFi/モバイル)に再接続を行います。 ネットワーク変化時に再接続 \'%s\'の証明書をキーストアから読み出し ネットワーク状態: %s @@ -200,7 +200,7 @@ SDカード上のデータは本質的に無防備です。すべてのアプリ VPN接続通知(鍵の形)は、VPN接続が稼働中であることをAndroidが知らせています。いくつかのシステムではこの通知で音を鳴らします。\n Androidはあなた自身の安全性のために、これらを迂回できないようにしています。(いくつかのシステムでは、遺憾ながら音も伴います) 接続時の警告と通知音 - 日本語版翻訳 Artin. <tools@artin.nu> + 日本語翻訳 高橋正希@埼玉 <tools@artin.nu> IPとDNS 基本 経路設定 @@ -212,8 +212,8 @@ Androidはあなた自身の安全性のために、これらを迂回できな <p>動作確認済の設定ファイルを入手します。(あなたのコンピュータでテスト済のものや、プロバイダや会社などの組織からダウンロードしたもの)</p> <p>もしそれが単一のファイルでpemやpks12ファイルを伴わないなら、自分宛のメールに添付して送付し、それを開いてください。もし複数のファイルで構成されているならSDカードに格納してください。</p> <p>メールの添付ファイルを開く、あるいはVPNリストのフォルダアイコンをクリックして設定ファイルをインポートします。</p> -<p>もし、ファイルが足りないというエラーが表示されたら、足りなかったファイルをSDカード上に格納してください。</p> -<p>インポートされたVPN設定をリストに追加するには、保存アイコンをクリックします。t</p> +<p>もしファイルが足りないというエラーが表示されたら、足りなかったファイルをSDカード上に格納してください。</p> +<p>インポートされたVPN設定をリストに追加するには、保存アイコンをクリックします。</p> <p>VPNを接続するには、VPNの名称をクリックします。</p> <p>もし警告やエラーがログエントリに表示されたら、それらを調べて解決してください。</p> @@ -223,11 +223,9 @@ Androidはあなた自身の安全性のために、これらを迂回できな PKCS12の設定をAndroidのキーストアにインポートします プロキシ設定でエラー: %s プロキシを使用します %1$s %2$d - システムのプロキシ設定を使用します + システムのプロキシ設定を使用 システム全体の構成の HTTP/HTTPS プロキシ接続を使用します。 - 以下のURLで寄付いただけます。 -<a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\"> - + 以下のURLより寄付いただけます。 <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">PayPalで寄付</a> OpenVPNはシステムの再起動やシャットダウン時に再接続するようになります。このオプションを使用する前にFAQをご一読ください。 システム起動後に再接続 無視 @@ -258,17 +256,18 @@ VPNサーバへの特別な経路(たとえばリダイレクトゲートウェ VPNService APIを使用してサーバに接続するアプリケーションはVPNトンネルを経路設定していなくても保証されます。 トンネルを指定しないその他の経路設定はサポートされません。(たとえば route x.x.x.x y.y.y.y net_gateway) ログウィンドウの情報表示ボタンは、現在のVPNServiceのネットワーク設定を表示します。 - OpenVPNが再接続試行中は、VPNなし状態を報告しない + OpenVPNが再接続試行中は、VPNなし状態を報告しません。 永続的なTUNデバイス 翻訳 OpenVPN のログ OpenVPN の構成のインポート バッテリー消費量 - 私の個人的な検証では、OpenVPNの高いバッテリ消耗の主要因はkeepaliveパケットです。 -大半のOpenVPNサーバは\'keepalive 10 60\'のような設定を持っており、これは10秒ごとにクライアントとサーバで相互にkeepaliveパケットを送ることを意味します。 -<p> これらのパケットは小さく、大きな帯域は要しませんが、通信機能を稼働させ続け電力消費を増大させます。 -<p> このkeepaliveの設定はクライアント側からは変更できません。システム管理者のみがOpenVPNの設定を変更できます。 -<p> 残念ながら60秒より大きなkeepaliveの間隔は、いくつかのNATゲートウェイにおいては接続状態が維持できずそれより短い間隔でタイムアウトします。(私の検証では60秒) -TCPモードと長めのkeepaliveタイムアウトは動作しますが、しかしTCP over TCP問題を引き起こします。(<a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">TCP over TCPは何故悪いのか</a>を参照) - + 個人的な検証では、OpenVPNがバッテリを多く消費する主な原因はkeepaliveパケットです。 +大部分のOpenVPNサーバは\'keepalive 10 60\'のような設定を持っており、これは10秒ごとにサーバとクライアントで相互にkeepaliveパケットを送信しあうことを意味します。 +<p> これらのパケットは小さく多くの帯域は使用しませんが、モバイル回線機能を常に稼動させ続け電力消費を増大させます。 +<p> このkeepalive設定はクライアント側からは変更できません。OpenVPNのシステム管理者のみが変更可能です。 +<p> 残念なことに、60秒より大きな間隔のUDP keepaliveはいくつかのNATゲートウェイにおいては接続状態が維持できず、それより短い時間でタイムアウトします。(検証では60秒) +TCP keepaliveと長いタイムアウト時間は動作しますが、TCP over TCP問題を引き起こします。(詳細は<a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">なぜTCP over TCPは悪いアイディアなのか</a>を参照) + Androidのテザリング機能(WiFi, USB, Bluetooth経由)とVPNService API(このプログラムから使用する機能)は同時に利用できません。詳細については<a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a>を参照 + VPN とテザリング -- cgit v1.2.3 From ea6e5cb50c114fe79789c13de7e0654602b79a81 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 22:47:15 +0100 Subject: Added tag v0.5.27 for changeset 963a0716b027 --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index dad861fb..bbcc0d20 100644 --- a/.hgtags +++ b/.hgtags @@ -25,3 +25,4 @@ d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 0378ae6b13074c269e4d38e9b78dddbb3b876643 v0.5.25 5f7744dd06982bf173376fe5916566414b1c5bea v0.5.25 2c62077b8c3f05dc15c5b0ab2bff5d0e0bdcb734 v0.5.26 +963a0716b027deaa7b00a5327165d3d130993aee v0.5.27 -- cgit v1.2.3 From ca4d1855e89c1496fb2da9ef73e49dc04779f904 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 23:14:37 +0100 Subject: Version 0.5.27 --- AndroidManifest.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index a71ad54a..a56ba309 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -17,8 +17,8 @@ + android:versionCode="55" + android:versionName="0.5.27" > -- cgit v1.2.3 From fd52a72467252aa449f1c8081ed02fc064a65729 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 17 Dec 2012 23:14:48 +0100 Subject: Added tag v0.5.27 for changeset 4b88cad1e252 --- .hgtags | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.hgtags b/.hgtags index bbcc0d20..4e417218 100644 --- a/.hgtags +++ b/.hgtags @@ -26,3 +26,5 @@ d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 5f7744dd06982bf173376fe5916566414b1c5bea v0.5.25 2c62077b8c3f05dc15c5b0ab2bff5d0e0bdcb734 v0.5.26 963a0716b027deaa7b00a5327165d3d130993aee v0.5.27 +963a0716b027deaa7b00a5327165d3d130993aee v0.5.27 +4b88cad1e252f6b1daf4a8dbb0ce8911604ba97a v0.5.27 -- cgit v1.2.3 From a01e771f678fbcfff3b7a38f42ce392102165fcc Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 18 Dec 2012 11:11:47 +0100 Subject: Fix a few warnings and one bug when importing a file with a pkcs12 which cannot be read --HG-- extra : rebase_source : d11215373582cb1a656f7cae9bf3642b34c3a2c9 --- src/de/blinkt/openvpn/ConfigConverter.java | 2 +- src/de/blinkt/openvpn/ConfigParser.java | 5 +++-- src/de/blinkt/openvpn/OpenVpnService.java | 4 +++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/de/blinkt/openvpn/ConfigConverter.java b/src/de/blinkt/openvpn/ConfigConverter.java index 3f204368..8d746409 100644 --- a/src/de/blinkt/openvpn/ConfigConverter.java +++ b/src/de/blinkt/openvpn/ConfigConverter.java @@ -176,7 +176,7 @@ public class ConfigConverter extends ListActivity { private void embedPKCS12File() { mResult.mPKCS12Filename = embedFile(mResult.mPKCS12Filename,true); - if(mResult.mPKCS12Filename.startsWith(VpnProfile.INLINE_TAG)) { + if(mResult.mPKCS12Filename!=null && mResult.mPKCS12Filename.startsWith(VpnProfile.INLINE_TAG)) { if(mResult.mAuthenticationType==VpnProfile.TYPE_USERPASS_KEYSTORE) mResult.mAuthenticationType=VpnProfile.TYPE_USERPASS_PKCS12; diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index 826f3b62..0e746d44 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -5,6 +5,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.util.HashMap; +import java.util.Locale; import java.util.Vector; //! Openvpn Config FIle Parser, probably not 100% accurate but close enough @@ -85,7 +86,7 @@ public class ConfigParser { private boolean space(char c) { // I really hope nobody is using zero bytes inside his/her config file // to sperate parameter but here we go: - return Character.isSpace(c) || c == '\0'; + return Character.isWhitespace(c) || c == '\0'; } @@ -525,7 +526,7 @@ public class ConfigParser { for(Vector optionline:args) if(optionline.size()< (minarg+1) || optionline.size() > maxarg+1) { - String err = String.format("Option %s has %d parameters, expected between %d and %d", + String err = String.format(Locale.getDefault(),"Option %s has %d parameters, expected between %d and %d", option,optionline.size()-1,minarg,maxarg ); throw new ConfigParseError(err); } diff --git a/src/de/blinkt/openvpn/OpenVpnService.java b/src/de/blinkt/openvpn/OpenVpnService.java index 122549a5..603f86ce 100644 --- a/src/de/blinkt/openvpn/OpenVpnService.java +++ b/src/de/blinkt/openvpn/OpenVpnService.java @@ -19,6 +19,7 @@ package de.blinkt.openvpn; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.util.Locale; import java.util.Vector; import android.app.Notification; @@ -108,6 +109,7 @@ public class OpenVpnService extends VpnService implements StateListener { if(tickerText!=null) nbuilder.setTicker(tickerText); + @SuppressWarnings("deprecation") Notification notification = nbuilder.getNotification(); @@ -451,7 +453,7 @@ public class OpenVpnService extends VpnService implements StateListener { // Other notifications are shown, // This also mean we are no longer connected, ignore bytecount messages until next // CONNECTED - String ticker = state.toLowerCase(); + String ticker = state.toLowerCase(Locale.getDefault()); showNotification(state +" " + logmessage,ticker,false,0); } -- cgit v1.2.3 From e300225f32eb40961aee52aaaedb9bb6a7a249f4 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 18 Dec 2012 11:25:45 +0100 Subject: Fix the Illegal Thread State bug --- src/de/blinkt/openvpn/ConfigConverter.java | 2 +- src/de/blinkt/openvpn/OpenVPNThread.java | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/de/blinkt/openvpn/ConfigConverter.java b/src/de/blinkt/openvpn/ConfigConverter.java index 8d746409..393384b8 100644 --- a/src/de/blinkt/openvpn/ConfigConverter.java +++ b/src/de/blinkt/openvpn/ConfigConverter.java @@ -228,7 +228,7 @@ public class ConfigConverter extends ListActivity { File possibleFile = findFile(filename); if(possibleFile==null) - return null; + return filename; else return readFileContent(possibleFile,base64encode); diff --git a/src/de/blinkt/openvpn/OpenVPNThread.java b/src/de/blinkt/openvpn/OpenVPNThread.java index b4ead269..13b8688b 100644 --- a/src/de/blinkt/openvpn/OpenVPNThread.java +++ b/src/de/blinkt/openvpn/OpenVPNThread.java @@ -39,9 +39,11 @@ public class OpenVPNThread implements Runnable { } finally { int exitvalue = 0; try { - exitvalue = mProcess.exitValue(); + exitvalue = mProcess.waitFor(); } catch ( IllegalThreadStateException ite) { OpenVPN.logError("Illegal Thread state: " + ite.getLocalizedMessage()); + } catch (InterruptedException ie) { + OpenVPN.logError("InterruptedException: " + ie.getLocalizedMessage()); } if( exitvalue != 0) OpenVPN.logError("Process exited with exit value " + exitvalue); @@ -84,12 +86,12 @@ public class OpenVPNThread implements Runnable { mProcess.getOutputStream().close(); InputStream in = mProcess.getInputStream(); BufferedReader br = new BufferedReader(new InputStreamReader(in)); - - + while(true) { String logline = br.readLine(); - if(logline==null) + if(logline==null) { return; + } OpenVPN.logMessage(0, "P:", logline); } -- cgit v1.2.3 From 1e26d7cfb3a4d951847f08de5cbeac361a83ddb6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 18 Dec 2012 17:50:48 +0100 Subject: Ignore status file writing --- src/de/blinkt/openvpn/ConfigParser.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index 0e746d44..ed8d4724 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -232,6 +232,7 @@ public class ConfigParser { "route-method", "script-security", "show-net-up", + "status", "suppress-timestamps", "tmp-dir", "topology", -- cgit v1.2.3 From 904ce469f833d005b9d209b415924d3ba64bfb01 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 22 Dec 2012 17:47:59 +0100 Subject: Add google-breakpad support to ics-openvpn --- AndroidManifest.xml | 11 +++++- jni/Android.mk | 4 ++ jni/Application.mk | 1 + openvpn/Android.mk | 17 ++++++-- openvpn/src/openvpn/init.c | 5 ++- openvpn/src/openvpn/openvpn.c | 6 +++ res/menu/logmenu.xml | 12 ++++-- src/de/blinkt/openvpn/LogWindow.java | 75 +++++++++++++++++++++++++++++++++++- src/de/blinkt/openvpn/OpenVPN.java | 2 +- 9 files changed, 122 insertions(+), 11 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index a56ba309..8ccd1e96 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -24,10 +24,13 @@ + - + + + \ No newline at end of file diff --git a/jni/Android.mk b/jni/Android.mk index 3514b920..283be302 100644 --- a/jni/Android.mk +++ b/jni/Android.mk @@ -5,6 +5,10 @@ include lzo/Android.mk include openssl/Android.mk +ifneq ($(TARGET_ARCH),mips) +include google-breakpad/android/google_breakpad/Android.mk +endif + include openvpn/Android.mk diff --git a/jni/Application.mk b/jni/Application.mk index 38ce95f3..5670b6e3 100644 --- a/jni/Application.mk +++ b/jni/Application.mk @@ -1,6 +1,7 @@ APP_ABI := all NDK_TOOLCHAIN_VERSION=4.4.3 #APP_PLATFORM := android-14 +APP_STL:=stlport_static #APP_OPTIM := release diff --git a/openvpn/Android.mk b/openvpn/Android.mk index b27ef794..6307e5e0 100644 --- a/openvpn/Android.mk +++ b/openvpn/Android.mk @@ -1,17 +1,21 @@ -# Android openvpn JNI LOCAL_PATH:= $(call my-dir)/ include $(CLEAR_VARS) LOCAL_LDLIBS := -lz -LOCAL_C_INCLUDES := openssl/include lzo/include openssl/crypto openssl openvpn/src/compat openvpn/src/openvpn openvpn/include +LOCAL_C_INCLUDES := openssl/include lzo/include openssl/crypto openssl openvpn/src/compat openvpn/src/openvpn openvpn/include google-breakpad/src google-breakpad/src/common/android/include LOCAL_SHARED_LIBRARIES := libssl libcrypto #LOCAL_STATIC_LIBRARIES := libssl_static libcrypto_static liblzo-static + +LOCAL_CFLAGS= -DHAVE_CONFIG_H -DTARGET_ABI=\"${TARGET_ABI}\" LOCAL_STATIC_LIBRARIES := liblzo-static +ifneq ($(TARGET_ARCH),mips) +LOCAL_STATIC_LIBRARIES += breakpad_client +LOCAL_CFLAGS += -DGOOGLE_BREAKPAD=1 +endif -LOCAL_CFLAGS= -DHAVE_CONFIG_H -DTARGET_ABI=\"${TARGET_ABI}\" LOCAL_MODULE = openvpn LOCAL_SRC_FILES:= \ @@ -85,7 +89,12 @@ LOCAL_SRC_FILES:= \ src/openvpn/ssl_verify_openssl.c \ src/openvpn/ssl_verify_polarssl.c \ src/openvpn/status.c \ - src/openvpn/tun.c + src/openvpn/tun.c +ifneq ($(TARGET_ARCH),mips) +LOCAL_SRC_FILES+=../jni/icsandroid.cpp +endif + + include $(BUILD_SHARED_LIBRARY) #include $(BUILD_EXECUTABLE) diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index 6a1ed02d..e2942c00 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -3704,7 +3704,10 @@ close_context (struct context *c, int sig, unsigned int flags) { if ((flags & CC_USR1_TO_HUP) || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) - c->sig->signal_received = SIGHUP; + { + c->sig->signal_received = SIGHUP; + c->sig->signal_text = "close_context usr1 to hup"; + } } if (!(flags & CC_NO_CLOSE)) diff --git a/openvpn/src/openvpn/openvpn.c b/openvpn/src/openvpn/openvpn.c index 104c9e93..4bae5274 100644 --- a/openvpn/src/openvpn/openvpn.c +++ b/openvpn/src/openvpn/openvpn.c @@ -321,6 +321,12 @@ wmain (int argc, wchar_t *wargv[]) { #else int main (int argc, char *argv[]) { +#ifdef TARGET_ANDROID +#ifdef GOOGLE_BREAKPAD +#include "../jni/icsandroid.h" + setup_breakpad(); +#endif +#endif return openvpn_main(argc, argv); } #endif diff --git a/res/menu/logmenu.xml b/res/menu/logmenu.xml index 4b55e73b..ec2997b0 100644 --- a/res/menu/logmenu.xml +++ b/res/menu/logmenu.xml @@ -1,6 +1,11 @@ - + + - - + \ No newline at end of file diff --git a/src/de/blinkt/openvpn/LogWindow.java b/src/de/blinkt/openvpn/LogWindow.java index 8d228cf1..3c0f7246 100644 --- a/src/de/blinkt/openvpn/LogWindow.java +++ b/src/de/blinkt/openvpn/LogWindow.java @@ -1,5 +1,9 @@ package de.blinkt.openvpn; +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.util.ArrayList; import java.util.Vector; import android.app.AlertDialog; @@ -12,6 +16,7 @@ import android.content.DialogInterface; import android.content.DialogInterface.OnClickListener; import android.content.Intent; import android.database.DataSetObserver; +import android.net.Uri; import android.os.Bundle; import android.os.Handler; import android.os.Handler.Callback; @@ -76,6 +81,7 @@ public class LogWindow extends ListActivity implements StateListener { return str; } + private void shareLog() { Intent shareIntent = new Intent(Intent.ACTION_SEND); shareIntent.putExtra(Intent.EXTRA_TEXT, getLogStr()); @@ -215,12 +221,15 @@ public class LogWindow extends ListActivity implements StateListener { OpenVpnManagementThread.stopOpenVPN(); } }); - + builder.show(); return true; } else if(item.getItemId()==R.id.info) { if(mBconfig==null) OpenVPN.triggerLogBuilderConfig(); + } else if(item.getItemId()==R.id.minidump) { + emailMiniDumps(); + } else if(item.getItemId()==R.id.send) { ladapter.shareLog(); } else if(item.getItemId()==R.id.edit_vpn) { @@ -249,9 +258,73 @@ public class LogWindow extends ListActivity implements StateListener { public boolean onCreateOptionsMenu(Menu menu) { MenuInflater inflater = getMenuInflater(); inflater.inflate(R.menu.logmenu, menu); + + + + if(getLastestDump()==null) + menu.removeItem(R.id.minidump); + return true; } + private File getLastestDump() { + long newestDumpTime=0; + File newestDumpFile=null; + + for(File f:getCacheDir().listFiles()) { + if(!f.getName().endsWith(".dmp")) + continue; + + if (newestDumpTime < f.lastModified()) { + newestDumpTime = f.lastModified(); + newestDumpFile=f; + } + } + return newestDumpFile; + } + + + public void emailMiniDumps() + { + //need to "send multiple" to get more than one attachment + final Intent emailIntent = new Intent(android.content.Intent.ACTION_SEND_MULTIPLE); + emailIntent.setType("*/*"); + emailIntent.putExtra(android.content.Intent.EXTRA_EMAIL, + new String[]{"Arne Schwabe "}); + emailIntent.putExtra(Intent.EXTRA_SUBJECT, "OpenVPN Minidump"); + + + ArrayList textarraylist = new ArrayList(); + textarraylist.add("Please describe the issue you have experienced"); + emailIntent.putExtra(Intent.EXTRA_TEXT, textarraylist); + + + ArrayList uris = new ArrayList(); + + File ldump = getLastestDump(); + if(ldump==null) { + OpenVPN.logError("No Minidump found!"); + } + + uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/" + ldump.getName())); + uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/openvpn.log")); + + + try { + FileWriter logout = new FileWriter(new File(getCacheDir(),"openvpn.log")); + logout.write(ladapter.getLogStr()); + logout.close(); + + } catch (IOException e1) { + OpenVPN.logError("Error writing log: " + e1.getLocalizedMessage()); + } + + //emailIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + emailIntent.putParcelableArrayListExtra(Intent.EXTRA_STREAM, uris); + startActivity(emailIntent); + } + + @Override protected void onResume() { super.onResume(); diff --git a/src/de/blinkt/openvpn/OpenVPN.java b/src/de/blinkt/openvpn/OpenVPN.java index 6b65c22e..48623865 100644 --- a/src/de/blinkt/openvpn/OpenVPN.java +++ b/src/de/blinkt/openvpn/OpenVPN.java @@ -163,7 +163,7 @@ public class OpenVPN { } public static void logInfo(String message) { - + newlogItem(new LogItem(LogItem.INFO, message)); } public static void logInfo(int ressourceId, Object... args) { -- cgit v1.2.3 From 2ddc5f8b867aabe1820d37bb89db8e91efd10234 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 22 Dec 2012 22:57:54 +0100 Subject: commit files forgot in last commit, add push fix --- jni/icsandroid.cpp | 30 ++++++++ jni/icsandroid.h | 9 +++ openvpn/src/openvpn/push.c | 1 + src/de/blinkt/openvpn/FileProvider.java | 129 ++++++++++++++++++++++++++++++++ 4 files changed, 169 insertions(+) create mode 100644 jni/icsandroid.cpp create mode 100644 jni/icsandroid.h create mode 100644 src/de/blinkt/openvpn/FileProvider.java diff --git a/jni/icsandroid.cpp b/jni/icsandroid.cpp new file mode 100644 index 00000000..cd63c6fd --- /dev/null +++ b/jni/icsandroid.cpp @@ -0,0 +1,30 @@ + +#include "icsandroid.h" +#include "client/linux/handler/exception_handler.h" + +namespace { + +bool DumpCallback(const google_breakpad::MinidumpDescriptor& descriptor, + void* context, + bool succeeded) { + printf("Dump path: %s\n", descriptor.path()); +fflush(stdout); + return succeeded; +} + +void Crash() { + volatile int* a = reinterpret_cast(NULL); + *a = 1; +} + +} // namespace + +static google_breakpad::MinidumpDescriptor* desc; +static google_breakpad::ExceptionHandler* eh; +void setup_breakpad(void) +{ +printf("Initializing Google Breakpad!\n"); +desc = new google_breakpad::MinidumpDescriptor("/data/data/de.blinkt.openvpn/cache"); +eh = new google_breakpad::ExceptionHandler(*desc, NULL, DumpCallback, NULL, true,-1); +} + diff --git a/jni/icsandroid.h b/jni/icsandroid.h new file mode 100644 index 00000000..cd11da40 --- /dev/null +++ b/jni/icsandroid.h @@ -0,0 +1,9 @@ +#ifdef __cplusplus +extern "C" { +#endif + + void setup_breakpad(void); + +#ifdef __cplusplus +} +#endif diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index 929a2f24..148d7ebe 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -464,6 +464,7 @@ process_incoming_push_msg (struct context *c, md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); ret = PUSH_MSG_REPLY; + md5_state_init (&c->c2.pulled_options_state); break; case 2: md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); diff --git a/src/de/blinkt/openvpn/FileProvider.java b/src/de/blinkt/openvpn/FileProvider.java new file mode 100644 index 00000000..1147ccf0 --- /dev/null +++ b/src/de/blinkt/openvpn/FileProvider.java @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2011 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package de.blinkt.openvpn; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; + +import android.content.ContentProvider; +import android.content.ContentValues; +import android.content.ContentProvider.PipeDataWriter; +import android.content.res.AssetFileDescriptor; +import android.database.Cursor; +import android.net.Uri; +import android.os.Bundle; +import android.os.ParcelFileDescriptor; +import android.util.Log; + +/** + * A very simple content provider that can serve arbitrary asset files from + * our .apk. + */ +public class FileProvider extends ContentProvider + implements PipeDataWriter { + @Override + public boolean onCreate() { + return true; + } + + @Override + public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, + String sortOrder) { + // Don't support queries. + return null; + } + + @Override + public Uri insert(Uri uri, ContentValues values) { + // Don't support inserts. + return null; + } + + @Override + public int delete(Uri uri, String selection, String[] selectionArgs) { + // Don't support deletes. + return 0; + } + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { + // Don't support updates. + return 0; + } + + @Override + public String getType(Uri uri) { + // For this sample, assume all files are .apks. + return "application/octet-stream"; + } + + @Override + public AssetFileDescriptor openAssetFile(Uri uri, String mode) throws FileNotFoundException { + // Try to open an asset with the given name. + String path = uri.getPath(); + if(path.startsWith("/")) + path = path.replaceFirst("/", ""); + + // I think this already random enough, no need for magic secure cookies + // 1f9563a4-a1f5-2165-255f2219-111823ef.dmp + if (!path.matches("^[0-9a-z-.]*$")) + throw new FileNotFoundException("url not in expect format " + uri); + + try { + + File cachedir = getContext().getCacheDir(); + File dumpfile = new File(cachedir,path); + InputStream is = new FileInputStream(dumpfile); + // Start a new thread that pipes the stream data back to the caller. + return new AssetFileDescriptor( + openPipeHelper(uri, null, null, is, this), 0, + dumpfile.length()); + } catch (IOException e) { + FileNotFoundException fnf = new FileNotFoundException("Unable to open minidump " + uri); + throw fnf; + } + } + + @Override + public void writeDataToPipe(ParcelFileDescriptor output, Uri uri, String mimeType, + Bundle opts, InputStream args) { + // Transfer data from the asset to the pipe the client is reading. + byte[] buffer = new byte[8192]; + int n; + FileOutputStream fout = new FileOutputStream(output.getFileDescriptor()); + try { + while ((n=args.read(buffer)) >= 0) { + fout.write(buffer, 0, n); + } + } catch (IOException e) { + Log.i("OpenVPNFileProvider", "Failed transferring", e); + } finally { + try { + args.close(); + } catch (IOException e) { + } + try { + fout.close(); + } catch (IOException e) { + } + } + } +} -- cgit v1.2.3 From fac7abcf6717bf1c188b04b9f42af3924cef8f33 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sat, 22 Dec 2012 23:26:18 +0100 Subject: Parse the tls-remote server string, fix import message (Closes Issue #124) --- res/values/strings.xml | 2 +- src/de/blinkt/openvpn/ConfigParser.java | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/res/values/strings.xml b/res/values/strings.xml index ff0c592c..eea81d8b 100755 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -237,4 +237,4 @@ Number of seconds to wait between connection attempts. Seconds between connections - \ No newline at end of file + diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index ed8d4724..7d93a94e 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -451,6 +451,12 @@ public class ConfigParser { if(connectretrymax!=null) np.mConnectRetryMax =connectretrymax.get(1); + Vector> remotetls = getAllOption("remote-tls", 1, 1); + if(remotetls!=null) + if(remotetls.get(1).equals("server")) + np.mExpectTLSCert=true; + else + options.put("remotetls",remotetls); Vector authuser = getOption("auth-user-pass",0,1); if(authuser !=null){ -- cgit v1.2.3 From 174a0c8a3807df22ebd5731e139c0f0bb511f85b Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 23 Dec 2012 01:07:51 +0100 Subject: Fix importing of embedded PKCS12 files --- src/de/blinkt/openvpn/ConfigConverter.java | 50 +++++++++++++++++++++--------- src/de/blinkt/openvpn/ConfigParser.java | 7 +++-- 2 files changed, 39 insertions(+), 18 deletions(-) diff --git a/src/de/blinkt/openvpn/ConfigConverter.java b/src/de/blinkt/openvpn/ConfigConverter.java index 393384b8..c08b176d 100644 --- a/src/de/blinkt/openvpn/ConfigConverter.java +++ b/src/de/blinkt/openvpn/ConfigConverter.java @@ -143,23 +143,22 @@ public class ConfigConverter extends ListActivity { private Intent installPKCS12() { if(!((CheckBox)findViewById(R.id.importpkcs12)).isChecked()) { - embedPKCS12File(); + setAuthTypeToEmbeddedPKCS12(); return null; + } - - File possiblepkcs12 = findFile(mResult.mPKCS12Filename); - if(possiblepkcs12!=null) { + String pkcs12datastr = mResult.mPKCS12Filename; + if(pkcs12datastr!=null && pkcs12datastr.startsWith(VpnProfile.INLINE_TAG)) { Intent inkeyintent = KeyChain.createInstallIntent(); - byte[] pkcs12data; - try { - pkcs12data = readBytesFromFile(possiblepkcs12); - } catch (IOException e) { - return null; - } + + pkcs12datastr= pkcs12datastr.substring(VpnProfile.INLINE_TAG.length()); + + + byte[] pkcs12data = Base64.decode(pkcs12datastr, Base64.DEFAULT); + inkeyintent.putExtra(KeyChain.EXTRA_PKCS12,pkcs12data ); - mAliasName = possiblepkcs12.getName().replace(".p12", ""); if(mAliasName.equals("")) mAliasName=null; @@ -174,8 +173,7 @@ public class ConfigConverter extends ListActivity { - private void embedPKCS12File() { - mResult.mPKCS12Filename = embedFile(mResult.mPKCS12Filename,true); + private void setAuthTypeToEmbeddedPKCS12() { if(mResult.mPKCS12Filename!=null && mResult.mPKCS12Filename.startsWith(VpnProfile.INLINE_TAG)) { if(mResult.mAuthenticationType==VpnProfile.TYPE_USERPASS_KEYSTORE) mResult.mAuthenticationType=VpnProfile.TYPE_USERPASS_PKCS12; @@ -234,7 +232,18 @@ public class ConfigConverter extends ListActivity { } - private File findFile(String filename) + private File findFile(String filename) { + File foundfile =findFileRaw(filename); + + if (foundfile==null && filename!=null && !filename.equals("")) + log(R.string.import_could_not_open,filename); + + return foundfile; + } + + + + private File findFileRaw(String filename) { if(filename == null || filename.equals("")) return null; @@ -274,7 +283,6 @@ public class ConfigConverter extends ListActivity { } } - log(R.string.import_could_not_open,filename); return null; } @@ -324,10 +332,22 @@ public class ConfigConverter extends ListActivity { // This where I would like to have a c++ style // void embedFile(std::string & option) + if (mResult.mPKCS12Filename!=null) { + File pkcs12file = findFileRaw(mResult.mPKCS12Filename); + if(pkcs12file!=null) { + mAliasName = pkcs12file.getName().replace(".p12", ""); + } else { + mAliasName = "Imported PKCS12"; + } + } + + mResult.mCaFilename = embedFile(mResult.mCaFilename); mResult.mClientCertFilename = embedFile(mResult.mClientCertFilename); mResult.mClientKeyFilename = embedFile(mResult.mClientKeyFilename); mResult.mTLSAuthFilename = embedFile(mResult.mTLSAuthFilename); + mResult.mPKCS12Filename = embedFile(mResult.mPKCS12Filename,true); + if(mResult.mUsername != null && !mResult.mUsername.equals("")){ String data =embedFile(mResult.mUsername); diff --git a/src/de/blinkt/openvpn/ConfigParser.java b/src/de/blinkt/openvpn/ConfigParser.java index 7d93a94e..f2814f7e 100644 --- a/src/de/blinkt/openvpn/ConfigParser.java +++ b/src/de/blinkt/openvpn/ConfigParser.java @@ -235,8 +235,9 @@ public class ConfigParser { "status", "suppress-timestamps", "tmp-dir", + "tun-ipv6", "topology", - "win-sys" + "win-sys", }; @@ -451,9 +452,9 @@ public class ConfigParser { if(connectretrymax!=null) np.mConnectRetryMax =connectretrymax.get(1); - Vector> remotetls = getAllOption("remote-tls", 1, 1); + Vector> remotetls = getAllOption("remote-cert-tls", 1, 1); if(remotetls!=null) - if(remotetls.get(1).equals("server")) + if(remotetls.get(0).get(1).equals("server")) np.mExpectTLSCert=true; else options.put("remotetls",remotetls); -- cgit v1.2.3 From 3dbb55fe35b12e5fcbf38e7ecf8de043b16327de Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 24 Dec 2012 07:47:50 +0100 Subject: Make send mini dump work with non Gmail Mail app, make google sending better placed --- AndroidManifest.xml | 5 +- openvpn/Android.mk | 2 +- openvpn/src/openvpn/breakpad.cpp | 29 +++ openvpn/src/openvpn/breakpad.h | 13 ++ openvpn/src/openvpn/error.c | 7 + openvpn/src/openvpn/openvpn.c | 10 +- openvpn/src/openvpn/socket.c | 2 +- res/menu/logmenu.xml | 6 - res/values/strings.xml | 3 + src/de/blinkt/openvpn/FileProvider.java | 206 ++++++++++++--------- src/de/blinkt/openvpn/LogWindow.java | 70 ------- src/de/blinkt/openvpn/MainActivity.java | 14 ++ src/de/blinkt/openvpn/OpenVPN.java | 58 +++--- src/de/blinkt/openvpn/OpenVPNThread.java | 21 ++- src/de/blinkt/openvpn/OpenVpnManagementThread.java | 10 +- src/de/blinkt/openvpn/SendDumpActivity.java | 60 ++++++ 16 files changed, 314 insertions(+), 202 deletions(-) create mode 100644 openvpn/src/openvpn/breakpad.cpp create mode 100644 openvpn/src/openvpn/breakpad.h create mode 100644 src/de/blinkt/openvpn/SendDumpActivity.java diff --git a/AndroidManifest.xml b/AndroidManifest.xml index 8ccd1e96..564d4396 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -43,6 +43,7 @@ + @@ -121,8 +122,8 @@ + android:exported="true" + android:grantUriPermissions="true" /> \ No newline at end of file diff --git a/openvpn/Android.mk b/openvpn/Android.mk index 6307e5e0..c68bcccf 100644 --- a/openvpn/Android.mk +++ b/openvpn/Android.mk @@ -91,7 +91,7 @@ LOCAL_SRC_FILES:= \ src/openvpn/status.c \ src/openvpn/tun.c ifneq ($(TARGET_ARCH),mips) -LOCAL_SRC_FILES+=../jni/icsandroid.cpp +LOCAL_SRC_FILES+=src/openvpn/breakpad.cpp endif diff --git a/openvpn/src/openvpn/breakpad.cpp b/openvpn/src/openvpn/breakpad.cpp new file mode 100644 index 00000000..cfcc10a8 --- /dev/null +++ b/openvpn/src/openvpn/breakpad.cpp @@ -0,0 +1,29 @@ + +#include "breakpad.h" +#include "client/linux/handler/exception_handler.h" + + +static +bool DumpCallback(const google_breakpad::MinidumpDescriptor& descriptor, + void* context, + bool succeeded) { + printf("Dump path: %s\n", descriptor.path()); + fflush(stdout); + fflush(stderr); + return succeeded; +} + +static google_breakpad::MinidumpDescriptor* desc; +static google_breakpad::ExceptionHandler* eh; + +void breakpad_setup(void) +{ + printf("Initializing Google Breakpad!\n"); + desc = new google_breakpad::MinidumpDescriptor("/data/data/de.blinkt.openvpn/cache"); + eh = new google_breakpad::ExceptionHandler(*desc, NULL, DumpCallback, NULL, true,-1); +} + +void breakpad_dodump(void) +{ + eh->WriteMinidump(); +} diff --git a/openvpn/src/openvpn/breakpad.h b/openvpn/src/openvpn/breakpad.h new file mode 100644 index 00000000..84df62ab --- /dev/null +++ b/openvpn/src/openvpn/breakpad.h @@ -0,0 +1,13 @@ +#ifndef BUFFER_H +#define BUFFER_H + +#ifdef __cplusplus +extern "C" { +#endif + void breakpad_setup(void); + void breakpad_dodump(void); +#ifdef __cplusplus +} +#endif + +#endif diff --git a/openvpn/src/openvpn/error.c b/openvpn/src/openvpn/error.c index ebe9a52d..98611a1b 100644 --- a/openvpn/src/openvpn/error.c +++ b/openvpn/src/openvpn/error.c @@ -57,6 +57,10 @@ #endif #endif +#ifdef GOOGLE_BREAKPAD +#include "breakpad.h" +#endif + /* Globals */ unsigned int x_debug_level; /* GLOBAL */ @@ -399,6 +403,9 @@ dont_mute (unsigned int flags) void assert_failed (const char *filename, int line) { +#ifdef GOOGLE_BREAKPAD + breakpad_dodump(); +#endif msg (M_FATAL, "Assertion failed at %s:%d", filename, line); } diff --git a/openvpn/src/openvpn/openvpn.c b/openvpn/src/openvpn/openvpn.c index 4bae5274..a177d9e8 100644 --- a/openvpn/src/openvpn/openvpn.c +++ b/openvpn/src/openvpn/openvpn.c @@ -41,6 +41,10 @@ #define P2P_CHECK_SIG() EVENT_LOOP_CHECK_SIGNAL (c, process_signal_p2p, c); +#ifdef GOOGLE_BREAKPAD +#include "breakpad.h" +#endif + static bool process_signal_p2p (struct context *c) { @@ -321,12 +325,10 @@ wmain (int argc, wchar_t *wargv[]) { #else int main (int argc, char *argv[]) { -#ifdef TARGET_ANDROID #ifdef GOOGLE_BREAKPAD -#include "../jni/icsandroid.h" - setup_breakpad(); -#endif + breakpad_setup(); #endif + return openvpn_main(argc, argv); } #endif diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 29a15a63..9a33197c 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -1255,7 +1255,7 @@ resolve_remote (struct link_socket *sock, if (remote_dynamic) *remote_dynamic = NULL; } - else + /* else, quick hack to fix persistent-remote ....*/ { CLEAR (sock->info.lsa->actual); if(sock->info.lsa->current_remote) diff --git a/res/menu/logmenu.xml b/res/menu/logmenu.xml index ec2997b0..bb810df0 100644 --- a/res/menu/logmenu.xml +++ b/res/menu/logmenu.xml @@ -1,11 +1,5 @@ - Reconnection settings Number of seconds to wait between connection attempts. Seconds between connections + OpenVPN crashed unexpectedly. Please consider using the send Minidump option in the main menu + Send Minidump to developer + Send debugging information about last crash to developer diff --git a/src/de/blinkt/openvpn/FileProvider.java b/src/de/blinkt/openvpn/FileProvider.java index 1147ccf0..e86b544f 100644 --- a/src/de/blinkt/openvpn/FileProvider.java +++ b/src/de/blinkt/openvpn/FileProvider.java @@ -24,13 +24,15 @@ import java.io.IOException; import java.io.InputStream; import android.content.ContentProvider; -import android.content.ContentValues; import android.content.ContentProvider.PipeDataWriter; +import android.content.ContentValues; import android.content.res.AssetFileDescriptor; import android.database.Cursor; +import android.database.MatrixCursor; import android.net.Uri; import android.os.Bundle; import android.os.ParcelFileDescriptor; +import android.provider.OpenableColumns; import android.util.Log; /** @@ -38,92 +40,118 @@ import android.util.Log; * our .apk. */ public class FileProvider extends ContentProvider - implements PipeDataWriter { - @Override - public boolean onCreate() { - return true; - } - - @Override - public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, - String sortOrder) { - // Don't support queries. - return null; - } - - @Override - public Uri insert(Uri uri, ContentValues values) { - // Don't support inserts. - return null; - } - - @Override - public int delete(Uri uri, String selection, String[] selectionArgs) { - // Don't support deletes. - return 0; - } - - @Override - public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { - // Don't support updates. - return 0; - } - - @Override - public String getType(Uri uri) { - // For this sample, assume all files are .apks. - return "application/octet-stream"; - } - - @Override - public AssetFileDescriptor openAssetFile(Uri uri, String mode) throws FileNotFoundException { - // Try to open an asset with the given name. - String path = uri.getPath(); - if(path.startsWith("/")) - path = path.replaceFirst("/", ""); - - // I think this already random enough, no need for magic secure cookies - // 1f9563a4-a1f5-2165-255f2219-111823ef.dmp - if (!path.matches("^[0-9a-z-.]*$")) - throw new FileNotFoundException("url not in expect format " + uri); - - try { - - File cachedir = getContext().getCacheDir(); - File dumpfile = new File(cachedir,path); - InputStream is = new FileInputStream(dumpfile); - // Start a new thread that pipes the stream data back to the caller. - return new AssetFileDescriptor( - openPipeHelper(uri, null, null, is, this), 0, - dumpfile.length()); - } catch (IOException e) { - FileNotFoundException fnf = new FileNotFoundException("Unable to open minidump " + uri); - throw fnf; - } - } - - @Override - public void writeDataToPipe(ParcelFileDescriptor output, Uri uri, String mimeType, - Bundle opts, InputStream args) { - // Transfer data from the asset to the pipe the client is reading. - byte[] buffer = new byte[8192]; - int n; - FileOutputStream fout = new FileOutputStream(output.getFileDescriptor()); - try { - while ((n=args.read(buffer)) >= 0) { - fout.write(buffer, 0, n); - } - } catch (IOException e) { - Log.i("OpenVPNFileProvider", "Failed transferring", e); - } finally { - try { - args.close(); - } catch (IOException e) { - } - try { - fout.close(); - } catch (IOException e) { - } - } - } +implements PipeDataWriter { + @Override + public boolean onCreate() { + return true; + } + + @Override + public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, + String sortOrder) { + try { + File dumpfile = getFileFromURI(uri); + + + MatrixCursor c = new MatrixCursor(projection); + + Object[] row = new Object[projection.length]; + int i=0; + for (String r:projection) { + if(r.equals(OpenableColumns.SIZE)) + row[i] = dumpfile.length(); + if(r.equals(OpenableColumns.DISPLAY_NAME)) + row[i] = dumpfile.getName(); + i++; + } + c.addRow(row); + return c; + } catch (FileNotFoundException e) { + e.printStackTrace(); + return null; + } + + + } + + @Override + public Uri insert(Uri uri, ContentValues values) { + // Don't support inserts. + return null; + } + + @Override + public int delete(Uri uri, String selection, String[] selectionArgs) { + // Don't support deletes. + return 0; + } + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { + // Don't support updates. + return 0; + } + + @Override + public String getType(Uri uri) { + // For this sample, assume all files are .apks. + return "application/octet-stream"; + } + + @Override + public AssetFileDescriptor openAssetFile(Uri uri, String mode) throws FileNotFoundException { + File dumpfile = getFileFromURI(uri); + + try { + + InputStream is = new FileInputStream(dumpfile); + // Start a new thread that pipes the stream data back to the caller. + return new AssetFileDescriptor( + openPipeHelper(uri, null, null, is, this), 0, + dumpfile.length()); + } catch (IOException e) { + FileNotFoundException fnf = new FileNotFoundException("Unable to open minidump " + uri); + throw fnf; + } + } + + private File getFileFromURI(Uri uri) throws FileNotFoundException { + // Try to open an asset with the given name. + String path = uri.getPath(); + if(path.startsWith("/")) + path = path.replaceFirst("/", ""); + + // I think this already random enough, no need for magic secure cookies + // 1f9563a4-a1f5-2165-255f2219-111823ef.dmp + if (!path.matches("^[0-9a-z-.]*(dmp|dmp.log)$")) + throw new FileNotFoundException("url not in expect format " + uri); + File cachedir = getContext().getCacheDir(); + File dumpfile = new File(cachedir,path); + return dumpfile; + } + + @Override + public void writeDataToPipe(ParcelFileDescriptor output, Uri uri, String mimeType, + Bundle opts, InputStream args) { + // Transfer data from the asset to the pipe the client is reading. + byte[] buffer = new byte[8192]; + int n; + FileOutputStream fout = new FileOutputStream(output.getFileDescriptor()); + try { + while ((n=args.read(buffer)) >= 0) { + fout.write(buffer, 0, n); + } + } catch (IOException e) { + Log.i("OpenVPNFileProvider", "Failed transferring", e); + } finally { + try { + args.close(); + } catch (IOException e) { + } + try { + fout.close(); + } catch (IOException e) { + } + } + } } diff --git a/src/de/blinkt/openvpn/LogWindow.java b/src/de/blinkt/openvpn/LogWindow.java index 3c0f7246..790e143a 100644 --- a/src/de/blinkt/openvpn/LogWindow.java +++ b/src/de/blinkt/openvpn/LogWindow.java @@ -1,9 +1,5 @@ package de.blinkt.openvpn; -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.util.ArrayList; import java.util.Vector; import android.app.AlertDialog; @@ -16,7 +12,6 @@ import android.content.DialogInterface; import android.content.DialogInterface.OnClickListener; import android.content.Intent; import android.database.DataSetObserver; -import android.net.Uri; import android.os.Bundle; import android.os.Handler; import android.os.Handler.Callback; @@ -227,8 +222,6 @@ public class LogWindow extends ListActivity implements StateListener { } else if(item.getItemId()==R.id.info) { if(mBconfig==null) OpenVPN.triggerLogBuilderConfig(); - } else if(item.getItemId()==R.id.minidump) { - emailMiniDumps(); } else if(item.getItemId()==R.id.send) { ladapter.shareLog(); @@ -258,72 +251,9 @@ public class LogWindow extends ListActivity implements StateListener { public boolean onCreateOptionsMenu(Menu menu) { MenuInflater inflater = getMenuInflater(); inflater.inflate(R.menu.logmenu, menu); - - - - if(getLastestDump()==null) - menu.removeItem(R.id.minidump); - return true; } - private File getLastestDump() { - long newestDumpTime=0; - File newestDumpFile=null; - - for(File f:getCacheDir().listFiles()) { - if(!f.getName().endsWith(".dmp")) - continue; - - if (newestDumpTime < f.lastModified()) { - newestDumpTime = f.lastModified(); - newestDumpFile=f; - } - } - return newestDumpFile; - } - - - public void emailMiniDumps() - { - //need to "send multiple" to get more than one attachment - final Intent emailIntent = new Intent(android.content.Intent.ACTION_SEND_MULTIPLE); - emailIntent.setType("*/*"); - emailIntent.putExtra(android.content.Intent.EXTRA_EMAIL, - new String[]{"Arne Schwabe "}); - emailIntent.putExtra(Intent.EXTRA_SUBJECT, "OpenVPN Minidump"); - - - ArrayList textarraylist = new ArrayList(); - textarraylist.add("Please describe the issue you have experienced"); - emailIntent.putExtra(Intent.EXTRA_TEXT, textarraylist); - - - ArrayList uris = new ArrayList(); - - File ldump = getLastestDump(); - if(ldump==null) { - OpenVPN.logError("No Minidump found!"); - } - - uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/" + ldump.getName())); - uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/openvpn.log")); - - - try { - FileWriter logout = new FileWriter(new File(getCacheDir(),"openvpn.log")); - logout.write(ladapter.getLogStr()); - logout.close(); - - } catch (IOException e1) { - OpenVPN.logError("Error writing log: " + e1.getLocalizedMessage()); - } - - //emailIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); - emailIntent.putParcelableArrayListExtra(Intent.EXTRA_STREAM, uris); - startActivity(emailIntent); - } - @Override protected void onResume() { diff --git a/src/de/blinkt/openvpn/MainActivity.java b/src/de/blinkt/openvpn/MainActivity.java index 9b329817..32cf575b 100644 --- a/src/de/blinkt/openvpn/MainActivity.java +++ b/src/de/blinkt/openvpn/MainActivity.java @@ -1,8 +1,11 @@ package de.blinkt.openvpn; +import java.io.File; +import java.util.ArrayList; import java.util.List; import android.content.Intent; +import android.net.Uri; import android.preference.PreferenceActivity; public class MainActivity extends PreferenceActivity { @@ -19,6 +22,15 @@ public class MainActivity extends PreferenceActivity { translation.summary = translatedby; target.add(translation); } + + if(SendDumpActivity.getLastestDump(this)!=null) { + Header sendDump = new Header(); + sendDump.titleRes = R.string.send_minidump; + sendDump.summaryRes = R.string.send_minidump_summary; + sendDump.intent = new Intent(this,SendDumpActivity.class); + target.add(sendDump); + } + } @Override @@ -29,4 +41,6 @@ public class MainActivity extends PreferenceActivity { } + + } diff --git a/src/de/blinkt/openvpn/OpenVPN.java b/src/de/blinkt/openvpn/OpenVPN.java index 48623865..0ae681bc 100644 --- a/src/de/blinkt/openvpn/OpenVPN.java +++ b/src/de/blinkt/openvpn/OpenVPN.java @@ -7,10 +7,10 @@ import android.content.Context; import android.os.Build; public class OpenVPN { - + public static LinkedList logbuffer; - + private static Vector logListener; private static Vector stateListener; private static String[] mBconfig; @@ -18,14 +18,14 @@ public class OpenVPN { private static String mLaststatemsg; private static String mLaststate; - + static { logbuffer = new LinkedList(); logListener = new Vector(); stateListener = new Vector(); logInformation(); } - + static class LogItem { public static final int ERROR = 1; public static final int INFO = 2; @@ -36,20 +36,20 @@ public class OpenVPN { private int mRessourceId; // Default log priority int mLevel = INFO; - + public LogItem(int ressourceId, Object[] args) { - mRessourceId = ressourceId; - mArgs = args; + mRessourceId = ressourceId; + mArgs = args; } - + public LogItem(int loglevel,int ressourceId, Object[] args) { - mRessourceId = ressourceId; - mArgs = args; - mLevel = loglevel; - } + mRessourceId = ressourceId; + mArgs = args; + mLevel = loglevel; + } + - public LogItem(String message) { mMessage = message; } @@ -70,28 +70,32 @@ public class OpenVPN { if(mMessage !=null) { return mMessage; } else { - if(mArgs == null) - return c.getString(mRessourceId); - else - return c.getString(mRessourceId,mArgs); + if(c!=null) { + if(mArgs == null) + return c.getString(mRessourceId); + else + return c.getString(mRessourceId,mArgs); + } else { + return String.format("Log (no context) resid %d", mRessourceId); + } } } } - + private static final int MAXLOGENTRIES = 200; public static final String MANAGMENT_PREFIX = "M:"; - + public interface LogListener { void newLog(LogItem logItem); } - + public interface StateListener { void updateState(String state, String logmessage); } @@ -108,7 +112,7 @@ public class OpenVPN { } private static void logInformation() { - + logInfo(R.string.mobile_info,Build.MODEL, Build.BOARD,Build.BRAND,Build.VERSION.SDK_INT); } @@ -120,7 +124,7 @@ public class OpenVPN { logListener.remove(ll); } - + synchronized static void addStateListener(StateListener sl){ stateListener.add(sl); if(mLaststate!=null) @@ -156,7 +160,7 @@ public class OpenVPN { public synchronized static void updateStateString(String state, String msg) { mLaststate= state; mLaststatemsg = msg; - + for (StateListener sl : stateListener) { sl.updateState(state,msg); } @@ -174,7 +178,7 @@ public class OpenVPN { logbuffer.addLast(logItem); if(logbuffer.size()>MAXLOGENTRIES) logbuffer.removeFirst(); - + for (LogListener ll : logListener) { ll.newLog(logItem); } @@ -182,7 +186,7 @@ public class OpenVPN { public static void logError(String msg) { newlogItem(new LogItem(LogItem.ERROR, msg)); - + } public static void logError(int ressourceId) { @@ -191,6 +195,6 @@ public class OpenVPN { public static void logError(int ressourceId, Object... args) { newlogItem(new LogItem(LogItem.ERROR, ressourceId,args)); } - - + + } diff --git a/src/de/blinkt/openvpn/OpenVPNThread.java b/src/de/blinkt/openvpn/OpenVPNThread.java index 13b8688b..7d58552a 100644 --- a/src/de/blinkt/openvpn/OpenVPNThread.java +++ b/src/de/blinkt/openvpn/OpenVPNThread.java @@ -1,19 +1,24 @@ package de.blinkt.openvpn; import java.io.BufferedReader; +import java.io.BufferedWriter; +import java.io.FileWriter; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.util.LinkedList; import android.util.Log; +import de.blinkt.openvpn.OpenVPN.LogItem; public class OpenVPNThread implements Runnable { + private static final String DUMP_PATH_STRING = "Dump path: "; private static final String TAG = "OpenVPN"; private String[] mArgv; private Process mProcess; private String mNativeDir; private OpenVpnService mService; + private String mDumpPath; public OpenVPNThread(OpenVpnService service,String[] argv, String nativelibdir) { @@ -49,7 +54,18 @@ public class OpenVPNThread implements Runnable { OpenVPN.logError("Process exited with exit value " + exitvalue); OpenVPN.updateStateString("NOPROCESS","No process running."); - + if(mDumpPath!=null) { + try { + BufferedWriter logout = new BufferedWriter(new FileWriter(mDumpPath + ".log")); + for(LogItem li :OpenVPN.getlogbuffer()){ + logout.write(li.getString(null) + "\n"); + } + logout.close(); + OpenVPN.logError(R.string.minidump_generated); + } catch (IOException e) { + OpenVPN.logError("Writing minidump log: " +e.getLocalizedMessage()); + } + } mService.processDied(); Log.i(TAG, "Exiting"); @@ -89,6 +105,9 @@ public class OpenVPNThread implements Runnable { while(true) { String logline = br.readLine(); + if (logline.startsWith(DUMP_PATH_STRING)) + mDumpPath = logline.substring(DUMP_PATH_STRING.length()); + if(logline==null) { return; } diff --git a/src/de/blinkt/openvpn/OpenVpnManagementThread.java b/src/de/blinkt/openvpn/OpenVpnManagementThread.java index d15e6a33..9926ba13 100644 --- a/src/de/blinkt/openvpn/OpenVpnManagementThread.java +++ b/src/de/blinkt/openvpn/OpenVpnManagementThread.java @@ -39,7 +39,8 @@ public class OpenVpnManagementThread implements Runnable { private long mLastOut=0; private LocalServerSocket mServerSocket; private boolean mReleaseHold=true; - private boolean mWaitingForRelease=false; + private boolean mWaitingForRelease=false; + private long mLastHoldRelease=0; private static Vector active=new Vector(); @@ -223,8 +224,15 @@ public class OpenVpnManagementThread implements Runnable { } } private void releaseHoldCmd() { + if ((System.currentTimeMillis()- mLastHoldRelease) < 5000) { + try { + Thread.sleep(3000); + } catch (InterruptedException e) {} + + } mWaitingForRelease=false; mReleaseHold=true; + mLastHoldRelease = System.currentTimeMillis(); managmentCommand("hold release\n"); managmentCommand("bytecount " + mBytecountinterval + "\n"); managmentCommand("state on\n"); diff --git a/src/de/blinkt/openvpn/SendDumpActivity.java b/src/de/blinkt/openvpn/SendDumpActivity.java new file mode 100644 index 00000000..8a09b535 --- /dev/null +++ b/src/de/blinkt/openvpn/SendDumpActivity.java @@ -0,0 +1,60 @@ +package de.blinkt.openvpn; + +import java.io.File; +import java.util.ArrayList; + +import android.app.Activity; +import android.content.Context; +import android.content.Intent; +import android.net.Uri; + +public class SendDumpActivity extends Activity { + + protected void onStart() { + super.onStart(); + emailMiniDumps(); + finish(); + }; + + public void emailMiniDumps() + { + //need to "send multiple" to get more than one attachment + final Intent emailIntent = new Intent(android.content.Intent.ACTION_SEND_MULTIPLE); + emailIntent.setType("*/*"); + emailIntent.putExtra(android.content.Intent.EXTRA_EMAIL, + new String[]{"Arne Schwabe "}); + emailIntent.putExtra(Intent.EXTRA_SUBJECT, "OpenVPN Minidump"); + + emailIntent.putExtra(Intent.EXTRA_TEXT, "Please describe the issue you have experienced"); + + ArrayList uris = new ArrayList(); + + File ldump = getLastestDump(this); + if(ldump==null) { + OpenVPN.logError("No Minidump found!"); + } + + uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/" + ldump.getName())); + uris.add(Uri.parse("content://de.blinkt.openvpn.FileProvider/" + ldump.getName() + ".log")); + + emailIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + emailIntent.putParcelableArrayListExtra(Intent.EXTRA_STREAM, uris); + startActivity(emailIntent); + } + + static public File getLastestDump(Context c) { + long newestDumpTime=0; + File newestDumpFile=null; + + for(File f:c.getCacheDir().listFiles()) { + if(!f.getName().endsWith(".dmp")) + continue; + + if (newestDumpTime < f.lastModified()) { + newestDumpTime = f.lastModified(); + newestDumpFile=f; + } + } + return newestDumpFile; + } +} -- cgit v1.2.3 From ef38cc84f6181856ddd6419323d25a8af7c6a176 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 24 Dec 2012 14:24:01 +0100 Subject: =?UTF-8?q?Reconnect=20USR1,=20still=20strange=20=E2=80=A6.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/de/blinkt/openvpn/OpenVpnManagementThread.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/de/blinkt/openvpn/OpenVpnManagementThread.java b/src/de/blinkt/openvpn/OpenVpnManagementThread.java index 9926ba13..4e26c44b 100644 --- a/src/de/blinkt/openvpn/OpenVpnManagementThread.java +++ b/src/de/blinkt/openvpn/OpenVpnManagementThread.java @@ -231,7 +231,6 @@ public class OpenVpnManagementThread implements Runnable { } mWaitingForRelease=false; - mReleaseHold=true; mLastHoldRelease = System.currentTimeMillis(); managmentCommand("hold release\n"); managmentCommand("bytecount " + mBytecountinterval + "\n"); @@ -239,10 +238,10 @@ public class OpenVpnManagementThread implements Runnable { } public void releaseHold() { + mReleaseHold=true; if(mWaitingForRelease) releaseHoldCmd(); - else - mReleaseHold=true; + } private void processProxyCMD(String argument) { @@ -467,9 +466,9 @@ public class OpenVpnManagementThread implements Runnable { } public void signalusr1() { + mReleaseHold=false; if(!mWaitingForRelease) managmentCommand("signal SIGUSR1\n"); - mReleaseHold=false; } public void reconnect() { -- cgit v1.2.3 From c143908961ce306cf97b4c2afc56099efe6a21a0 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 24 Dec 2012 14:25:11 +0100 Subject: delte old files --- jni/icsandroid.cpp | 30 ------------------------------ jni/icsandroid.h | 9 --------- 2 files changed, 39 deletions(-) delete mode 100644 jni/icsandroid.cpp delete mode 100644 jni/icsandroid.h diff --git a/jni/icsandroid.cpp b/jni/icsandroid.cpp deleted file mode 100644 index cd63c6fd..00000000 --- a/jni/icsandroid.cpp +++ /dev/null @@ -1,30 +0,0 @@ - -#include "icsandroid.h" -#include "client/linux/handler/exception_handler.h" - -namespace { - -bool DumpCallback(const google_breakpad::MinidumpDescriptor& descriptor, - void* context, - bool succeeded) { - printf("Dump path: %s\n", descriptor.path()); -fflush(stdout); - return succeeded; -} - -void Crash() { - volatile int* a = reinterpret_cast(NULL); - *a = 1; -} - -} // namespace - -static google_breakpad::MinidumpDescriptor* desc; -static google_breakpad::ExceptionHandler* eh; -void setup_breakpad(void) -{ -printf("Initializing Google Breakpad!\n"); -desc = new google_breakpad::MinidumpDescriptor("/data/data/de.blinkt.openvpn/cache"); -eh = new google_breakpad::ExceptionHandler(*desc, NULL, DumpCallback, NULL, true,-1); -} - diff --git a/jni/icsandroid.h b/jni/icsandroid.h deleted file mode 100644 index cd11da40..00000000 --- a/jni/icsandroid.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifdef __cplusplus -extern "C" { -#endif - - void setup_breakpad(void); - -#ifdef __cplusplus -} -#endif -- cgit v1.2.3 From 3a388608e2b8292f9bbd20c85ac3cc97429cc242 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 24 Dec 2012 14:27:15 +0100 Subject: Insert missing not --- res/values/strings.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/res/values/strings.xml b/res/values/strings.xml index 3613c7d1..762133c1 100755 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -143,7 +143,7 @@ Trying to read file: %1$s Could not find file %1$s mentioned in the imported config file Importing config file from source %1$s - Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options. The custom configuration is displayed below: + Your configuration had a few configuration options that could not be parsed. These options were added as custom configuration options. The custom configuration is displayed below: Done reading config file. Do not bind to local address and port No local binding -- cgit v1.2.3 From d02c5af48106c89d510a11b4b1b4ba3d47f502c1 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 25 Dec 2012 16:04:16 +0100 Subject: OpenVPN fixes --- openvpn/config.h | 2 +- openvpn/src/openvpn/init.c | 33 +++++++++++++++++++-------------- openvpn/src/openvpn/openvpn.h | 1 + openvpn/src/openvpn/options.h | 1 - openvpn/src/openvpn/push.c | 8 ++++++-- 5 files changed, 27 insertions(+), 18 deletions(-) diff --git a/openvpn/config.h b/openvpn/config.h index be6733fb..0d86c1d9 100644 --- a/openvpn/config.h +++ b/openvpn/config.h @@ -450,7 +450,7 @@ #define PACKAGE_NAME "OpenVPN" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenVPN 2.3_rc1+dspatch2" +#define PACKAGE_STRING "OpenVPN 2.3_rc1+dspatch3" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "openvpn" diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index e2942c00..b3125282 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -341,24 +341,29 @@ next_connection_entry (struct context *c) } else { + /* FIXME (schwabe) fix the persist-remote-ip option for real, + * this is broken probably ever since connection lists and multiple + * remote existed + */ + + if (!c->options.persist_remote_ip) + clear_remote_addrlist (&c->c1.link_socket_addr); + else + c->c1.link_socket_addr.current_remote = + c->c1.link_socket_addr.remote_list; + + /* + * Increase the number of connection attempts + * If this is connect-retry-max * size(l) + * OpenVPN will quit + */ + c->options.unsuccessful_attempts++; + if (++l->current >= l->len) { - /* FIXME (schwabe) fix the persist-remote-ip option for real, - * this is broken probably ever since connection lists and multiple - * remote existed - */ - /* - * Increase the number of connection attempts - * If this is connect-retry-max * size(l) - * OpenVPN will quit - */ - - if (!c->options.persist_remote_ip) - clear_remote_addrlist (&c->c1.link_socket_addr); - + l->current = 0; - ++l->n_cycles; if (++n_cycles >= 2) msg (M_FATAL, "No usable connection profiles are present"); } diff --git a/openvpn/src/openvpn/openvpn.h b/openvpn/src/openvpn/openvpn.h index 7abfb087..bdfa6852 100644 --- a/openvpn/src/openvpn/openvpn.h +++ b/openvpn/src/openvpn/openvpn.h @@ -474,6 +474,7 @@ struct context_2 bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ + bool pulled_options_md5_init_done; struct md5_state pulled_options_state; struct md5_digest pulled_options_digest; diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index 91387845..909cb38a 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -153,7 +153,6 @@ struct connection_list { int len; int current; - int n_cycles; struct connection_entry *array[CONNECTION_LIST_SIZE]; }; diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index 148d7ebe..994b7ba7 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -446,10 +446,14 @@ process_incoming_push_msg (struct context *c, if (ch == ',') { struct buffer buf_orig = buf; + if (!c->c2.pulled_options_md5_init_done) + { + md5_state_init (&c->c2.pulled_options_state); + c->c2.pulled_options_md5_init_done = true; + } if (!c->c2.did_pre_pull_restore) { pre_pull_restore (&c->options); - md5_state_init (&c->c2.pulled_options_state); c->c2.did_pre_pull_restore = true; } if (apply_push_options (&c->options, @@ -463,8 +467,8 @@ process_incoming_push_msg (struct context *c, case 1: md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); + c->c2.pulled_options_md5_init_done = false; ret = PUSH_MSG_REPLY; - md5_state_init (&c->c2.pulled_options_state); break; case 2: md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); -- cgit v1.2.3 From 3875d9a483e91eaeff7b3dfaad305f363d52daf2 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 25 Dec 2012 16:07:23 +0100 Subject: update translations --- fetchtranslations.sh | 2 +- res/values-cs/strings.xml | 49 +++++++++++++--------- res/values-de/strings.xml | 33 +++++++++------ res/values-es/strings.xml | 65 ++++++++++++++++++++++------- res/values-et/strings.xml | 42 ++++++++++++------- res/values-fr/strings.xml | 18 ++++---- res/values-it/strings.xml | 55 +++++++++++-------------- res/values-ja/strings.xml | 32 +++++++++------ res/values-nl/strings.xml | 13 ------ res/values-zh-rCN/strings.xml | 12 ++---- res/values-zh-rTW/strings.xml | 96 ++++++++++++++++++++++++++++++++++++------- res/values/strings.xml | 3 -- 12 files changed, 268 insertions(+), 152 deletions(-) diff --git a/fetchtranslations.sh b/fetchtranslations.sh index ae8d09f1..847dd3cd 100755 --- a/fetchtranslations.sh +++ b/fetchtranslations.sh @@ -10,7 +10,7 @@ fi echo "Fetch translation archive" fetch -q http://crowdin.net/download/project/ics-openvpn.zip -langtoinclude="ca cs de es et fr he it ja ko no nl ru" +langtoinclude="ca cs de es et fr he id it ja ko no nl ru" for lang in $langtoinclude do diff --git a/res/values-cs/strings.xml b/res/values-cs/strings.xml index 19d8b880..23b77358 100755 --- a/res/values-cs/strings.xml +++ b/res/values-cs/strings.xml @@ -5,7 +5,7 @@ Adresa serveru: Port serveru: Lokace - adresář nelze číst! + Nelze přečíst adresář Zvolit Storno Žádná data @@ -15,9 +15,9 @@ Klientský klíč PKCS12 soubor CA certifikát - Nic nezvoleno - Zdrojové kódy a podpora je k dispozici na http://code.google.com/p/ics-openvpn/ - Program používá následující komponenty. Detaily jsou k dispozici ve zdrojových kódech + Je třeba vybrat certifikát + Zdrojové kódy a seznam problémů je na http://code.google.com/p/ics-openvpn/ + Tento program používá následující komponenty; viz zdrojový kód pro detaily o licenci O programu O programu OpenVPN pro Android Seznam všech nakonfigurovaných VPN @@ -25,28 +25,28 @@ Typ PKCS12 heslo Vyber… - Nic nevybráno + Je třeba vybrat soubor Použij TLS TLS řízení Zadej IPv6 adresu/masku v CIDR formátu (tj. 2000:dd::23/64) Zadej IPv4 adresu/masku v CIDR formátu (tj. 1.2.3.4/24) IPv4 adresa IPv6 adresa - Zadej vlastní OpenVPN volby. Používej opatrně. Měj na paměti, že většina voleb pro tun nemůže být podporována kvůli designu komponenty VPNSettings. Pokud si myslíš, že chybí důležitá vlastnost, kontaktuj autora + Zadat vlastní nastavení. Používat opatrně. Poznámka, mnoho voleb okolo tun adaptéru nemůže být podporováno. Pokud si myslíte, že chybí podstatná volba, kontaktujte autora Jméno Heslo - Pro statickou konfiguraci, TLS klíč bude použit jako statický klíč. + Pro statickou konfiguraci bude jako klíč použit autentizační klíč TLS Konfigurace VPN Přidat profil Zadej jméno identifikující nový profil - Duplikátní jméno profilu + Zadej prosím unikátní jméno profilu Jméno profilu - Není zvolen uživatelský certifikát. + Je třeba vybrat uživatelský certifikát Bez chyb Chyba v konfiguraci - Chyba při čtení IPv4 adresy - Chyba při čtení vlastního směrování - Nech prázdné pro zadávání až bude potřeba + Chyba při zpracování IPv4 adresy + Chyba při zpracování vlastního směrování + (nechej prázdné pro dotazování, až bude potřeba) OpenVPN zkratka Připojit k VPN Profil zvolený ve zkratce nenalezen @@ -90,9 +90,9 @@ Povol plovoucí server Vlastní nastavení Změnit nastavení VPN - Odstranit VPN profil %s? + Odstranit VPN profil \'%s\'? Na některých ICS systémech může být oprávnění pro /dev/tun špatně nastavené, nebo tun modul může zcela chybět. Pro systém s CM9 zkus využít opravy vlastnictví v obecném nastavení - Otvírání tun irozhraní selhalo. + Chyba při otvírání tun zařízení "Chyba: " Vymazat info @@ -106,7 +106,7 @@ Získány informace o rozhraní %1$s a %2$s, předpokládám, že druhá adresa je adresa vzdáleného kolegy. Používám /32 masku pro místní IP adresu. Mód OpenVPN je \"%3$s\". %1$s a %2$s jako IP adresy s CIDR maskou nedávají smysl, používám /32 jako masku. Směrování opraveno z %1$s/%2$s na %3$s/%2$s - Nemohu přistoupit k Androidímu úložišti certifikátů. (To může být způsobeno aktualizací firmwaru nebo obnovením zálohy aplikace/nastavení.) Prosím, uprav nastavení VPN a znovu zvol certifikát pro znovu vytvoření oprávnění pro přístup k cerifikátu. + Nelze přistoupit k Androidímu úložišti certifikátů. To může být způsobeno aktualizací firmwaru nebo obnovováním aplikace a jejího nastavení ze zálohy. Uprav VPN profil a znovu vyber certifikát pro vytvoření patřičných povolení. %1$s %2$s Odeslat soubor s logem Odeslat @@ -114,15 +114,15 @@ Záznam z logu zkopírován do schránky Tap mód Tap mód není možný bez rootovského VPN API, proto tato aplikace nemá podporu pro tap - Znovu? Tap mód opravdu nemůže být podporová a proto posílání mailů nemůže pomoci. - Potřetí? No, někdo by mohl napsat emulátor tap rozhraní pomocí tun, který by přidal informace na druhé vrstvě. Ale tahle emulace by musela mít i podporu pro ARP a DHCP. Nejsem si vědom, že by někdo dělal něco podobného. Napiš mi, pokud bys chtěl něco podobného naprogramovat. + Opět? Děláš si srandu? Ne, tap mód opravdu není podporován a další maily na tom nic nezmění. + Potřetí? Ve skutečnosti, šlo by napsat emulátor tap zařizení pomocí tun, které by patřičně zpracovávalo informace z druhé vrstvy. Ale tento emulátor by také musel implementovat ARP a DHCP. Nejsem si vědom, že by někdo tímto směrem něco podnikl. Kontaktuj mne, pokud máš zájem toto naprogramovat. FAQ Často kladené otázky a nějaké rady Kopírování záznamů z logu Pro zkopírování jednoho záznamu stačí dlouze zmáčknout požadovaný záznam. Pro zkopírování/odeslání celého logu použij možnost Odeslat soubor s logem. Pokud není tlačítko viditené v uživatelském rozhraní, zkus použít to hardwarové. Zkratka na spuštění Je možné přidat zkratku pro spuštění konkrétní VPN na domovskou obrazovku. - Tvúj systém nepodporuje VPNService API, je mi líto :( + Tvůj obrázek není podporovaný rozhraním VPNService, je mi líto :-( Šifrování Zadej šifrovací metodu Zadej šifru pro OpenVPN. Nech prázdné pro výchozí šifru @@ -142,7 +142,7 @@ Snažim se přečíst soubor: %1$s Nemohu najít soubor %1$s zmiňovaný v importovaném profilu Importuji nastavení z %1$s - Tvoje konfigurace obsahuje několik dalších nastavení, které jsem přečetl. Jsou přidány jako další vlastní nastavení. Toto nastavení je zobrazeno níže: + Tvé nastavení obsahuje několik položek, které se nepodařilo zpracovat. Tyto položky byly přidány jako vlastní nastavení. Vlastní nastavení je zobrazeno níže: Dočetl jsem konfigurační soubor. Nevázat se k místní adrese a portu Nesvazovat se @@ -172,7 +172,7 @@ Zobrazí vygenerované nastavení OpenVPN Úprava \"%s\" Vytvářím konfiguraci… - Zapnutí tohoto nastavení vynutí opětovné připojení, pokud se změní stav sítě (WIFI na mobilní nebo zpět) + Zapnutím této volby bude vynuceno opětovné připojení, pokud se změní stav sítě (např. z WiFi na mobilní síť a zpět) Opětovně připojit při změně sítě Získán certifikát \'%s\' z úložiště Stav sítě: %s @@ -229,4 +229,13 @@ Importovat OpenVPN nastavení Spotřeba baterie V testech se jako hlavní důvod vysoké spotřeby baterie ukázaly keepalive pakety. Většina OpenVPN serverů má v konfiguraci něco jako \'keepalive 10 60\', což znamená posílání paketů každých deset vteřin. <p> Tyto pakety jsou malé a neznamenají velký provoz, ale udržují mobilní síť aktivní a zvyšují spotřebu energie. <p> Toto nastavení nelze změnit na klientské straně. Jen administrátor OpenVPN může toto nastavení změnit. <p> Bohužel používání keepalive hodnot větších než 60 vteřin spolu s UDP může způsobovat problémy s některými NATy, které ukončují po krátkém čase spojení. Použití TCP s dlouhým keepalive funguje, ale má problém \"TCP přes TCP\" (Viz <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Proč je TCP přes TCP špatný nápad</a>) + Androidí funkce tetheringu (přes WiFi, USB, nebo Bluetooth) a VPService API (používané tímto programem) spolu nepracují. Více detailů viz <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">problém #34</a> + VPN a tethering + Opakování připojení + Nastavení obnovení + Počet vteřin mezi pokusy o připojení. + Vteřin mezi připojeními + OpenVPN neočekávaně havarovalo. Zvaž možnost použití volby poslat Minidump z hlavního menu + Poslat Minidump vývojáři + Poslat ladící informace o poslední havárii vývojáři diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml index 693ea7ce..8bca3e9c 100755 --- a/res/values-de/strings.xml +++ b/res/values-de/strings.xml @@ -15,7 +15,7 @@ Clientzertifikatsschlüssel PKCS12 Datei CA Zertifikat - Nichts ausgewählt + Kein Zertifikat ausgewählt Quellcode und Iusse Tracker unter http://code.google.com/p/ics-openvpn/ verfügbar Dieses Programm nutzt die folgenden Komponenten. Die kompletten Lizenzdetails sind im Quelltext verfügbar Über @@ -32,21 +32,21 @@ Tragen Sie die IPv4 Adresse und Netzmaske im CIDR Format ein (z.B. 1.2.3.4/24) IPv4 Adresse IPv6 Adresse - Tragen Sie eigene OpenVPN Optionen ein. Beachten Sie, dass einige (vor allem tun spezifische) Optionen von der Android Version nicht unterstützt werden können. Wenn Sie denken, dass eine wichtige Option fehlt, kontaktieren Sie den Autor. + Tragen Sie eigene OpenVPN Optionen ein. Beachten Sie, dass einige (vor allem tun spezifische) Optionen von der Android Version nicht unterstützt werden können. Wenn Sie denken, dass eine wichtige Option fehlt, kontaktieren Sie den Autor Benutzername Passwort - Für die statische Konfiguration werden die TLS Auth Schlüssel als statische Schlüssel benutzt. + Für die statische Konfiguration werden die TLS Auth Schlüssel als statische Schlüssel benutzt VPN konfigurieren Profil hinzufügen Geben Sie einen Namen für das neue Profil an - Doppelter Profilname + Doppelter Profilname, bitte vergeben Sie einen eindeutigen Profilnamen. Profilname - Kein Benutzerzertifikat ausgewählt. + Kein Benutzerzertifikat ausgewählt Kein Fehler. Fehler in der Konfiguration Kann die die IPv4 Adresse nicht parsen - Kann die Routen nicht parsen - Password nicht speichern + Kann die manuell angegeben Routen nicht parsen + (Leer lassen um nicht zu speichern) OpenVPN Verknüpfung VPN verbinden Von der Verknüpfung referenziertes Profil konnte nicht gefunden werden @@ -90,9 +90,9 @@ Erlaube floating Server Eigene Optionen Ändere VPN Einstellungen - VPN %s löschen? + VPN Profile \'%s\' löschen? Auf manchen ROM Version sind eventuell die Zugriffsrechte von /dev/tun falsch oder das tun Kernel Modul fehlt. Für Cyanogenmod 9 ROMs mit root gibt einen provisorischen Fix in den generellen Einstellungen. - Das Öffnen des tun Interfaces ist katastrophal gescheitert. + Das Öffnen des tun Interfaces ist katastrophal gescheitert "Fehler: " Clear Info @@ -114,7 +114,7 @@ Log Eintrag in die Zwischenablage kopiert Tap Mode Die VPN API von Android, die ohne rooten des Telefons funktioniert, unterstützt nur den tun Modus. Das Unterstützen des Tap Modus ist daher nicht möglich. - Die gleiche Frage nochmal? Meinen Sie das ernst? Ohne root kann tap wirklich nicht unterstützt werden. Emails an mich mit der Frage wann tap unterstützt wird, helfen hier kein Stück + Die gleiche Frage nochmal? Meinen Sie das ernst? Ohne root kann tap wirklich nicht unterstützt werden. Emails an mich mit der Frage wann tap unterstützt wird, helfen hier kein Stück. Ein drittes Mal? Nun gut, theoretisch kann tap mit einem tun Gerät emuliert werden. Dieser tap Emulator müsste die Layer 2 Informationen beim Senden hinzufügen und beim Empfangen wieder entfernen. Zusätzlich muss noch ARP und sinnvollerweise auch ein DHCP Client implementiert werden. Mir ist niemand bekannt, der etwas in diese Richtung unternimmt. Kontaktieren Sie mich, wenn Sie etwas in dies implementieren wollen. FAQ häufig gestellte Fragen und Hinweise @@ -172,7 +172,7 @@ Zeigt die generierte Konfigurationsdatei Editiere \"%s\" Generiere OpenVPN Konfiguration… - Aktivieren dieser Option zwingt OpenVPN dazu beim Wechsel des Netzwerkes (WLAN zu Mobilfunk und umgekehrt) neu zu verbinden. + Aktivieren dieser Option zwingt OpenVPN dazu beim Wechsel des Netzwerkes (WLAN zu Mobilfunk und umgekehrt) neu zu verbinden Netzwerkänderungen beachten Zertifikat (KeyStore): \'%s\' Netzwerkstatus: %s @@ -228,5 +228,14 @@ OpenVPN-Log OpenVPN Konfiguration importieren Energieverbrauch - In meinen eigenen Tests ist der Hauptgrund für den hohen Stromverbrauch von OpenVPN das Senden und Empfangen der Keepalive-Pakete. Die meisten OpenVPN-Server haben eine Konfigurationsoption wie \' keepalive 10 60\', was bedeutet dass vom Client an den Server und Server an den Client alle zehn Sekunden ein Paket geschickt wird. <p> Diese Pakete sind klein und erzeugen keine große Datenmenge. Sie sorgen allerdings dafür, dass das permanent Daten übertragen werden und somit auch die Mobilfunk bzw. WLAN Einheit aktiv ist und steigern damit den Energieverbrauch. <p> Diese keepalive Einstellung kann nicht auf dem Client geändert werden. Nur der Systemadministrator des VPN Servers kann die Einstellung ändern. <p> Leider hat eine keepalive Einstellung von mehr als 60 Sekunden mit udp Probleme mit einigen NAT-Gateways, die für inaktive Verbindung nur eine sehr kurze Haltzeit haben und danach verwerfen (60s in meinen Tests). Benutzen von TCP mit langen Keep-Alive-Timeout funktioniert, hat aber das TCP über TCP Problem. (Siehe < a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\" > Why TCP Over TCP Is A Bad Ide</a>) + In meinen eigenen Tests ist der Hauptgrund für den hohen Stromverbrauch von OpenVPN das Senden und Empfangen der Keepalive-Pakete. Die meisten OpenVPN-Server haben eine Konfigurationsoption wie \' keepalive 10 60\', was bedeutet dass vom Client an den Server und Server an den Client alle zehn Sekunden ein Paket geschickt wird. lt;pgt; Diese Pakete sind klein und erzeugen keine große Datenmenge. Sie sorgen allerdings dafür, dass das permanent Daten übertragen werden und somit auch die Mobilfunk bzw. WLAN Einheit aktiv ist und steigern damit den Energieverbrauch. lt;pgt; Diese keepalive Einstellung kann nicht auf dem Client geändert werden. Nur der Systemadministrator des VPN Servers kann die Einstellung ändern. lt;pgt; Leider hat eine keepalive Einstellung von mehr als 60 Sekunden mit udp Probleme mit einigen NAT-Gateways, die für inaktive Verbindung nur eine sehr kurze Haltzeit haben und danach verwerfen (60s in meinen Tests). Benutzen von TCP mit langen Keep-Alive-Timeout funktioniert, hat aber das TCP über TCP Problem. (Siehe lt; a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\" gt; Why TCP Over TCP Is A Bad Idelt;/agt;) + Die \"Anbindung & mobiler WLAN-Hotspot\" Funktion und die VPNService-API, die von diesem Programm verwendet wird, funktionieren nicht zusammen. Für weitere Details siehe <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\"> Issue #34 </a> + VPN und \"Anbindung & mobiler WLAN-Hotspot\" + Anzahl Verbindungsversuche + Einstellungen für das Neuverbinden + Anzahl von Sekunden zwischen Verbindungsversuchen. + Sekunden zwischen Verbindungsversuchen + Der OpenVPN Prozess ist unerwartet abgestützt. Bitte erwägen Sie die \"Minidump senden\" im Hauptmenü + Minidump an Entwickler senden + Sendet Debugging Informationen des letzten Absturzes an den Entwickler diff --git a/res/values-es/strings.xml b/res/values-es/strings.xml index b0279a2f..ca437077 100755 --- a/res/values-es/strings.xml +++ b/res/values-es/strings.xml @@ -5,7 +5,7 @@ Dirección del servidor: Puerto del servidor: Ubicación - ¡no se puede leer la carpeta! + No se puede leer el directorio Seleccionar Cancelar No hay datos @@ -15,9 +15,9 @@ Llave del Certificado de Cliente Archivo PKCS12 Certificado de la CA - Nada seleccionado - Codigo fuente y sistema de reporte de errores disponibles en http://code.google.com/p/ics-openvpn/ - El programa utiliza los siguientes componentes. Vea las fuentes para obtener más información sobre las licencias + Debe seleccionar un certificado + Codigo fuente y sistema de reporte de errores disponibles en http://code.google.com/p/ics-openvpn/ + El programa utiliza los siguientes componentes. Vea los códigos fuentes para obtener más información sobre las licencias Acerca de Acerca de OpenVPN para Android Lista de todas las VPN configuradas @@ -25,28 +25,28 @@ Tipo Contraseña PKCS12 Seleccionar... - Nada seleccionado + Debe seleccionar un archivo Utilizar la autenticación TLS Dirección TLS Introduzca la dirección/máscara de red IPv6 en formato CIDR (por ejemplo, 2000:dd::23/64) Introduzca la dirección/máscara de red IPv4 en formato CIDR (por ejemplo, 1.2.3.4/24) Dirección IPv4 Dirección IPv6 - Introduzca las opciones personalizadas de OpenVPN. Uselas con mucho cuidado. Tenga en cuenta que muchas de las configuraciones de OpenVPN relacionadas con tun no pueden ser soportadas por el diseño de VPNSettings. Si crees falta una funcion importate contacta al autor + Introduzca las opciones personalizadas de OpenVPN. Úselas con mucho cuidado. Además, tenga en cuenta que muchas de las configuraciones de OpenVPN relacionadas con tun no pueden ser soportadas por el diseño de VPNSettings. Si cree que falta una función importante, contacte al autor Nombre de usuario Contraseña - Para la configuración estática las llaves de autenticación TLS se utilizaran como llaves estáticas. + Para la configuración estática las claves de autenticación TLS se utilizaran como claves estáticas Configurar la VPN Agregar perfil Escriba un nombre que identifica el nuevo perfil - Nombre de perfil duplicado + Por favor, introduzca un nombre de perfil único Nombre del Perfil - Sin certificado de usuario seleccionado. + Debe seleccionar un certificado de usuario No se encontraron errores Error en la configuración - No se puede analizar la dirección IPv4 - No se puede analizar las rutas personalizadas - Deje en blanco para consultar sobre demanda + Error al analizar la dirección IPv4 + Error al analizar las rutas personalizadas + (Deje en blanco para consultar sobre demanda) Acceso directo de OpenVPN Conectar a VPN Perfil especificado en el acceso directo no encontrado @@ -58,10 +58,13 @@ Desconectar Limpiar registro Cancelar confirmación + ¿Desconectar la conexión VPN/cancelar el intento de conexión? Eliminar VPN Comprueba si el servidor utiliza un certificado de servidor TLS Excepto servidor TLS + Comprueba el CN del certificado del servidor remoto contra una cadena Comprobación del certificado de nombre de host + Introduzca la cadena contra la que se comprueba el servidor remoto. OpenVPN usará coincidencias de prefijos. \"Servidor\" coincide con \"Servidor-1\" y \"Servidor-2\"\nDeje vacío para comprobar el CN contra el nombre de host del servidor. Nombre de Host remoto(CN) habilita la autenticación de clave TLS Archivo de autenticación TLS @@ -74,10 +77,13 @@ searchDomain Servidor DNS a ser usado. Servidor DNS + El servidor DNS secundario se utiliza si el servidor DNS normal no puede alcanzarse. + Servidor DNS de respaldo Ignorar rutas obtenidas Ignorar rutas obtenidas del servidor. Redirige todo el tráfico a través de VPN Usar ruta predeterminada + Introduzca las rutas personalizadas. Sólo introduzca destinos en formato CIDR. \"10.0.0.0/8 2002:: / 16\" dirigiría las redes 10.0.0.0/8 y 2002::/16 sobre la VPN. Rutas personalizadas Nivel de detalle del registro Permite paquetes autenticados desde cualquier IP @@ -85,15 +91,20 @@ Opciones personalizadas Modificar la configuración de VPN ¿Eliminar el perfil VPN %s? + En algunas imágenes personalizadas de ICS los permisos sobre /dev/tun podrían ser incorrectos, o el módulo tun podría faltar completamente. Para imágenes de CM9 pruebe la opción \"arreglar la propiedad de /dev/tun\" ubicada en la configuración general + La apertura de la interfaz tun falĺó "Error: " Borrar información Mostrar detalles de la conexión Última configuración de interfaz de OpenVPN: + Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d Servidor DNS: %s Dominio DNS: %s Rutas: %s Rutas IPv6: %s + Información de la interfaz obtenida %1$s and %2$s, asumiendo que la segunda dirección es una dirección equivalente del remoto. Usando una máscara de red /32 para la IP local. El modo dado por OpenVPN es \"%3$s\". + No tienen sentido %1$s y %2$s como ruta IP con máscara de red CIDR, usando /32 como máscara de red. Ruta conectada de %1$s/%2$s a %3$s/%2$s %1$s %2$s Enviar el archivo de registro @@ -102,21 +113,24 @@ Entrada de registro copiada al Portapapeles Modo Tap El Modo tap no es posible sin la API VPN de root. Por lo tanto la aplicacion no puede dar soporte a tap - ¿Otra vez? ¿Estás bromeando? El modo tap no esta realmente soportado y enviar más correos preguntando si sera soportado no ayudará. + ¿Otra vez? ¿Estás bromeando? No, el modo tap realmente no está soportado y enviar más correos preguntando si será soportado no ayudará. ¿Una tercera vez? En realidad se podría escribir un emulador de tap basado en tun que podria agregar información layer2 al enviar y obtener información layer2 al recibir. Pero este emulador tap tendría que implementar también ARP y posiblemente un cliente DHCP. No sé de alguien que este realizando trabajo en esa dirección. Ponte en contacto conmigo si deseas iniciar la codificación de esto. P+F Preguntas frecuentes y consejos Copiar las entradas del registro Para copiar una sola entrada de registro presione y mantenga pulsado sobre la entrada del registro. Para copiar y enviar el registro completo use la opción Enviar registro. Utilice el botón fisico de menú si no visible en la interfaz. Acceso directo para iniciar - Su imagen no es compatible con la API de VPNService, lo siento :( + Puede colocar un acceso directo para iniciar OpenVPN en el escritorio. Dependiendo del programa de la pantalla de inicio tiene que añadir un acceso directo o un widget. Cifrado Especifique el método de cifrado + Introduzca la clave de cifrado para OpenVPN. Deje en blanco para utilizar cifrado predeterminado Autenticación/Cifrado Administrador de archivos + Archivo en línea Importar Error al importar el archivo No se pudo importar el archivo del sistema de archivos + [[Datos de archivo en línea]] Negandose a abrir el dispositivo tun sin información de IP Importar perfil de un archivo ovpn Importar @@ -132,8 +146,10 @@ Ningún enlace local Importar archivo de configuracion Consideraciones de seguridad + "Como OpenVPN es sensible a la seguridad, son razonables algunas notas acerca de seguridad. Todos los datos en la tarjeta SD son inherentemente inseguros. Cualquier aplicación puede leerla (por ejemplo, esta aplicación no requiere ningún permiso especial sobre la tarjeta SD). Los datos de esta aplicación sólo pueden ser leidos por la misma aplicación. Al utilizar la opción importar para el certificado de la CA/certificado/llave, en la ventana de diálogo para selección de archivos, los datos se almacenan en el perfil de la VPN. Los perfiles de VPN sólo son accesibles por esta aplicación. (No olvide después borrar las copias de la tarjeta SD). Aunque sólo sea accesible por esta aplicación, los datos aún están sin encriptar. Al acceder el dispositivo portátil como root u otro medio, es posible recuperar estos datos. Las contraseñas guardadas son almacenadas también en texto plano. Para archivos pkcs12 es muy recomendable que los importe al repositorio de llaves de Android." Importar Error mostrando la seleccion de certificados + Se obtuvo una excepción al intentar mostrar el diálogo de selección de certificado de Android 4.0+. Esto nunca debería ocurrir por ser una funcionalidad estándar de Android 4.0+. Quizás el respaldo ROM para almacenamiento de certificados de su Android está arruinado IPv4 IPv6 Esperando el mensaje de estado... @@ -141,6 +157,7 @@ perfil importado %d Imágenes rotas El nombre de usuario no debe estar vacío. + Clave PKCS12 de cifrado de archivos Contraseña de clave privada Contraseña icono de archivo @@ -152,12 +169,20 @@ Muestra el archivo de configuración OpenVPN generado Editando \"%s\" Construyendo configuracion... + Turning this option on will force a reconnect if the network state is changed (e.g. WiFi to/from mobile) Reconectar en cambio de red Conseguido el certificado de \'%s\' de almacén de claves Estado de la red: %s + El certificado de la CA usualmente es recuperado del almacén de claves de Android. Especifique un certificado diferente si obtiene errores de verificación de certificado. Seleccionar + No se obtuvo ningún certificado de CA al leer el almacén de claves de Android. La autenticación probablemente fallará. + Muestra la ventana de registro el conectarse. La ventana de registro siempre puede accederse desde el estado de la notificación. Mostrar ventana de registro + Mantenga la notificación visible después de que la conexión es establecida para mostrar estadísticas de tráfico. Mostrar estadísticas de tráfico + Ejecutándose en %1$s (%2$s) %3$s, API de Android %4$d + Error al firmar con la llave del almacén de llaves de Android %1$s: %2$s + Advertencia de conexión y sonido de notificación Traducción al español por José Luis Bandala Perez<luis.449bp@gmail.com> IP y DNS Básico @@ -174,11 +199,13 @@ Error al obtener la configuración de proxy: %s Usando proxy %1$s %2$d Usar el proxy del sistema + Utilice la configuración del sistema para los proxies HTTP/HTTPS a conectar. Usted puede <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">donar con PayPal</a> OpenVPN volvera a conectar a una VPN si estaba activa en el apagado/reinicio del sistema. Por favor lea la P+F de advertencia de conexión antes de usar esta opción. Vuelva a conectar al reiniciar Ignorar Reiniciar + Los cambios de configuración se aplican después de reiniciar la VPN. ¿(Re)iniciar la VPN ahora? Configuración cambiada No se pudo determinar el último perfil conectado para editar Notificaciones duplicadas @@ -194,4 +221,14 @@ Registro de OpenVPN Importar configuración de OpenVPN Consumo de batería + En mis pruebas personales la razón principal del alto consumo de batería de OpenVPN son los paquetes de sobrevivencia (keepalive). La mayoría de servidores de OpenVPN tienen una configuración como \'keepalive 10 60\' que se traduce en un paquete de keepalive del cliente al servidor y viceversa cada diez segundos. <p> Si bien estos paquetes son pequeños y no utilizan mucho tráfico, mantienen la red móvil ocupada e incrementan el consumo de energía. <p> Esta configuración de sobrevivencia no puede ser cambiada en el cliente. Sólo el administrador de sistemas de la OpenVPN puede cambiar esta configuración. <p> Desafortunadamente, usar una sobrevivencia mayor a 60 segundos con udp ocasiona problemas con algunas puertas de entrada NAT los cuales terminan una conexión después de un corto tiempo de espera (60s en mis pruebas). Usar TCP con un tiempo de sobrevivencia largo funciona pero genera el problema de TCP sobre TCP. (Ver <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\"> Por qué TCP sobre TCP es una mala idea (en inglés) </a>) + La funcionalidad de Tethering de Android (sobre WiFi, USB o Bluetooth) y la API del servicio de VPN (utilizada por esta aplicación) no pueden trabajar juntas. Para más detalles vea el <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">problema #34</a> + VPN y Tethering + Reintentos de conexión + Configuración de reconexión + Número de segundos de espera entre intentos de conexión. + Segundos entre las conexiones + OpenVPN falló inesperadamente. Por favor considere usar la opción envío de minivolcado en el menú principal + Enviar minivolcado al desarrollador + Enviar información de depuración sobre último fallo al desarrollador diff --git a/res/values-et/strings.xml b/res/values-et/strings.xml index 0eb5d9a0..81a8565c 100755 --- a/res/values-et/strings.xml +++ b/res/values-et/strings.xml @@ -5,7 +5,7 @@ Serveri aadress: Serveri port: Asukoht - Kataloogi ei saa lugeda! + Kataloog pole loetav Vali Tühista Andmed puuduvad @@ -15,8 +15,8 @@ Kliendisertifikaadi võti PKCS12 fail CA sertifikaat - Pole valitud - Lähtetekst ja probleemihaldur asuvad veebilehel http://code.google.com/p/ics-openvpn/ + Peate valima sertifikaadi + Lähtetekst ja probleemihaldur asuvad veebilehel http://code.google.com/p/ics-openvpn/ Programmis kasutatakse järgnevaid komponente. Detailse litsenseerimisinfo leiate lähtekoodist Lähemalt Täpsemalt programmist OpenVPN Androidile @@ -25,7 +25,7 @@ Tüüp PKCS12 salasõna Vali… - Pole valitud + Valige fail Kasuta TLS autentimist TLS suund Sisesta IPv6 Aadress/Võrgumask CIDR formaadis (nt. 2000:dd::23/64) @@ -35,18 +35,18 @@ Sisestage OpenVPN kohandatud valikud. Ettevaatlikkus ei tee paha. Palun samuti tähele panna et VPNSettings API ei toeta paljusid tun liidesega seotud OpenVPN seadistusi. Siiski, kui te leiate et mõni oluline seadistusvalik on puudu, siis kontakteeruge programmi autoriga Kasutajanimi Salasõna - Staatilise konfiguratsiooni puhul kasutatakse TLS Auth võtmeid staatiliste võtmetena. + Staatilise konfiguratsiooni puhul kasutatakse TLS Auth võtmeid staatiliste võtmetena Konfigureeri VPN Lisa profiil Lisage uuele profiilile osutav nimi - Topelt profiili nimi + Palun sisestage unikaalne profiilinimi Profiili nimi - Ühtegi kasutajasertifikaati pole valitud. + Peate valima kasutaja sertifikaadi Vigu ei leitud Konfiguratsiooni viga - IPv4 aadress ei allu analüüsile + Sisestatud IPv4 aadress ei allu süntaksianalüüsile Kohandatud marsruudid ei allu süntaksianalüüsile - Jäta tühjaks, küsitakse vajadusel + (jäta tühjaks, küsitakse vajadusel) OpenVPN kiirkäivitus Ühendu VPN\'iga Lühivalikus määratud profiil puudub @@ -90,9 +90,9 @@ Luba \'ujuv\' server Kohandatud valikud Muuda VPN seadistusi - Kas eemaldada VPN profiil %s? + Kas eemaldada VPN profiil \'%s\'? Mõnel modifitseeritud ICS versioonil võivad /dev/tun õigused olla valed, või selle moodul sootuks puududa. CM9 puhul võib probleemi lahendada üldiste seadistuste alt omanikuõiguste parandamine - tun liidese avamine ebaõnnestus täielikult. + Tun liidese avamine ebaõnnestus "Viga:" Tühjenda info @@ -106,7 +106,7 @@ Liidese andmed on %1$s ja %2$s, eeldades et teine aadress on eemalasuva serveri aadress. Lokaalse IP jaoks kasutatakse /32 võrgumaski. OpenVPN teatab režiimiks %3$s\". %1$s ja %2$s on mõttetud CIDR võrgumaskiga IP marsruutidest, võrgumaskiks määratakse /32. %1$s/%2$s marsruut parandatud: %3$s/%2$s - Androidi Keychain sertifikaadid on kättesaamatud. (See võib olla põhjustatud püsivara uuendamisest või appide/apiseadistuste taastamisest). Sertifikaatide pääsuõiguste taastamiseks redigeerige palun VPN seadistusi ja valige uuesti üldiste seadistuste alt sertifikaat. + Androidi Keychain sertifikaadid on kättesaamatud. See võib olla põhjustatud püsivara uuendamisest või appide/apiseadistuste taastamisest. Sertifikaatide pääsuõiguste taastamiseks redigeerige palun VPN seadistusi ja valige uuesti üldiste seadistuste alt sertifikaat. %1$s %2$s Saada logifail Saada @@ -142,7 +142,7 @@ Üritan lugeda faili: %1$s Ei õnnestunud leida imporditavas konfiguratsioonifailis mainitud faili: %1$s Allikast %1$s imporditakse konfiguratsioonifaili - Teie konfiguratsioonis leidus vähe analüüsile alluvaid valikuid. Leitud valikud lisati kohandatud seadistusvalikutena. Kohandatud konfiguratiooni leiate allpool: + Teie konfiguratsioonis on mõned süntaktilisele analüüsile allumatud valikuid. Leitud valikud lisati kohandatud seadistusvalikutena. Kohandatud konfiguratiooni leiate allpool: Konfiguratsioonifail loetud. Ära seo lokaalse aadressi ja pordiga Lokaalne sidumine puudub @@ -172,7 +172,7 @@ Näitab genereeritud OpenVPN konfiguratsioonifaili Redigeeritakse \"%s\" Koostatakse konfiguratsiooni… - Selle valiku aktiveerimine kutsub esile VPN uuestiühendumise kui võrgu olek muutub (WIFI peale/pealt mobiilile) + Selle valiku aktiveerimine kutsub esile VPN uuestiühendumise kui võrgu olek muutub (nt. WIFI peale/pealt mobiilile) Uuestiühendus võrgu oleku muutumisel Saadud sertifikaat \'%s\' võtmehoidlast Võrgu olek: %s @@ -224,4 +224,18 @@ Marsruutimine ja liidese seadistamine ei toimu traditsiooniliste ifconfig/route käskudega vaid VPNService API abil. Tulemuseks on teistest OS\'dest erinev marsruutimise konfiguratsioon. Konfiguratsioonis on kirjed ainult tunneli-liidese IP jaoks ja nende võrkude kirjeldused mis peavad olema marsruuditud läbi selle liidese. Täpsemalt, pole vaja kirjeldada ei teise poole aadressi ega ruuterit. Spetsiaalsed ruutingukirjed VPN serveriga kontakteerumiseks (nagu näiteks redirect-gateway kasutamisel) ei ole samuti vajalikud. Seetõttu ignoreeritakse konfiguratsiooni importimisel neid kirjeid. Programm kindlustab VPNService API abil et VPN serveriga kontakteerumist nõudvaid ühendusi ei ruudita läbi VPN tunneli. Kuna toetatud on ainult tunneldatavate võrkude marsruudid, siis ei saa kirjeldada ka ruutinguid mis ei suuna liiklust läbi tunneli. (nt. route x.x.x.x y.y.y.y net_gateway). \'Näita ühenduse andmeid\' nupp logiaknas näitab kehtivat VPNService võrgukonfiguratsiooni. Ära taasta otseühendust kui OpenVPN on taasühendumas. Katkematu tun + Tõlge + OpenVPN Logi + Impordi OpenVPN konfiguratsioon + Akukasutus + Minu isiklike testide põhjal kulutavad akut peamiselt OpenVPN keepalive paketid. Enamikel OpenVPN serveritel esineb direktiiv nagu \'keepalive 10 60\' mis tähendab et klient saadab serverile ja server kliendile keepalive pakette iga 10 sekundi tagant. <p> Ehkki keepalive paketid on väikesed ja ei põhjusta märgatavat võrguliiklust, ei lase nad mobiilse ühenduse raadiovõrgukiibil minna energiasäästurežiimi. <p> Need keepalive seadistused pole kliendi poolt muudetavad, neid seadistusi saab muuta ainult OpenVPN serveri süsteemiadministraator. <p> Kahjuks esineb üle 60 sekundi pikkuse keepalive puhul probleeme UDP protokolliga üle mõnede NAT ruuterite mis kustutavad UDP ühenduste olekuinfo väga lühikese aja jooksul (minu testides 60s). TCP protokolliga seda probleemi ei esine, kuid esineb TCP üle TCP tunneldamise probleem. (Vaata <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Miks TCP üle TCP on halb mõte</a>) + Android Tethering (üle WiFi, USB või Bluetoothi) ja VPNService API (mida käesolev programm kasutab) ei ole koos kasutatavad. Täpsemad detailid leiad <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a> + VPN ja tether + Ühendumise korduskatseid + Taasühendusseaded + Mitu sekundit oodata ühendumiskatsete vahel. + Sekundeid ühenduste vahel + OpenVPN jooksis ootamatult kokku. Palun kaaluge \"saada Minitõmmis\" valiku lubamist peamenüüs + Saada arendajale minitõmmis + Saada eelmise kokkujooksmise kohta käiv silumisinfo arendajale diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml index 65132174..a5f589f4 100755 --- a/res/values-fr/strings.xml +++ b/res/values-fr/strings.xml @@ -15,7 +15,7 @@ "Clé du certificat client" "Fichier PKCS12" "Certificat CA" - "Rien de sélectionné" + "Vous devez sélectionner un certificat" "Le code source et le tracker de bugs est disponible ici: http://code.google.com/p/ics-openvpn/ " "Le programme utilise les composants suivants. Voir le code source pour plus de détails sur les licences." "À propos" @@ -25,7 +25,6 @@ "Type" "Mot de passe PKCS12" "Sélectionner..." - "Rien de sélectionné" "Utiliser l\'authentification TLS" "Direction de l\'authentification TLS" "Entrez l\'adresse IPv6 / masque de réseau au format CIDR (ex.: 2000:jj::23/64)" @@ -39,7 +38,6 @@ "Configurer le VPN" "Ajouter un profil" "Entrez un nom identifiant le nouveau profil" - "Dupliquer un nom de profil" "Nom de profil" "Aucun certificat utilisateur sélectionné." "Aucune erreur" @@ -91,7 +89,7 @@ "Permettre des serveur flottants" "Options personnalisées" "Modifier les paramètres VPN" - "Effacer le profil VPN %s ?" + \"Effacer le profil VPN %s ?\"? "Sur certaines ROMs ICS les permissions de /dev/tun peuvent être incorrectes, ou le module Tun peut être manquant. Pour les ROMs CM9, essayez de corriger les options dans \"General Settings\"" "L\'ouverture de l\'interface Tun a échoué." "Erreur: " @@ -107,7 +105,7 @@ "Informations récupérées de l\'interface: %1$s et %2$s , en supposant que la seconde adresse est l\'adresse peer du réseau distant. Utilisation du masque de réseau /32 pour l\'IP locale. Mode donné par OpenVPN: \"%3$s\"." "Ne peut pas donner un sens à %1$s et %2$s comme routage IP avec masque réseau de type CIDR, en utilisant /32 comme masque de réseau." "Règle de redirection corrigée: %1$s / %2$s en %3$s / %2$s" - "Impossible d\'accéder aux certificats \"Android Keychain\". (Peut être causé par une mise à jour du firmware ou par une restauration d\'une sauvegarde des paramètres de l\'application). Veuillez modifier le profil VPN et sélectionnez de nouveau le certificat dans les réglages de base pour recréer l\'autorisation d\'accéder au certificat." + \"Impossible d\'accéder aux certificats \"Android Keychain\". (Peut être causé par une mise à jour du firmware ou par une restauration d\'une sauvegarde des paramètres de l\'application). Veuillez modifier le profil VPN et sélectionnez de nouveau le certificat dans les réglages de base pour recréer l\'autorisation d\'accéder au certificat.\". "%1$s %2$s" "Envoyer le fichier de log" "Envoyer" @@ -115,8 +113,8 @@ "Entrée du log copiée" "Mode TAP" "Le mode TAP est indisponible avec l\'API non root VPN. Par conséquent, cette application ne peut pas supporter TAP" - "Encore une fois? Vous plaisantez? Le mode TAP n\'est absolument pas pris en charge et l\'envoi de plus d\'e-mails demandant si il sera intégré ne va en rien aider." - "Encore une fois ? En fait il est possible que quelqu\'un puisse écrire un émulateur TAP basé sur TUN qui pourrait analyser des informations de type \"layer2\". Mais cet émulateur devrait aussi implémenter ARP et un client DHCP. Je ne suis actuellement pas au courant que quelqu\'un travail dessus. Contactez moi si vous voulez m\'aider là dessus" + \"Encore une fois? Vous plaisantez? Le mode TAP n\'est absolument pas pris en charge et l\'envoi de plus d\'e-mails demandant si il sera intégré ne va en rien aider.\". + \"Encore une fois ? En fait il est possible que quelqu\'un puisse écrire un émulateur TAP basé sur TUN qui pourrait analyser des informations de type \"layer2\". Mais cet émulateur devrait aussi implémenter ARP et un client DHCP. Je ne suis actuellement pas au courant que quelqu\'un travail dessus. Contactez moi si vous voulez m\'aider là dessus\". "FAQ" "Foire aux questions et quelques conseils" "Copie des entrées du log" @@ -143,7 +141,7 @@ "Tentative de lecture du fichier: %1$s" "Impossible de trouver le fichier %1$s mentionné dans le fichier de configuration importé" "Importation du fichier de configuration depuis %1$s" - "Votre configuration a quelques options de configuration qui pourraient être analysées. Ces options ont été ajoutées comme options de configuration personnalisées. La configuration personnalisée est affichée ci-dessous:" + \"Votre configuration a des options de configuration qui ne pouvaient pas être analysées. Ces options ont été ajoutées comme options de configuration personnalisées. La configuration personnalisée est affichée ci-dessous:\": "Fin de la lecture du fichier de configuration." "Ne pas se lier à l\'adresse locale et au port" "Aucune liaison locale" @@ -233,4 +231,8 @@ Sur certaines images, cette notification joue un son.\nAndroid à introduit ces "Lors de mes tests d\'OpenVPN, la source de principale de consommation de la batterie est l\'émission des paquets de servant à maintenir la connexion active (keepalive). La plupart des serveurs OpenVPN utilisent la directive \'keepalive 10 60\' ce qui signifie que des packets de keepalive sont envoyés toutes les 10 secondes du client au serveur et vice-versa, et que la connexion sera redemmarée après 60s en cas d\'inactivité. lt;gt;Bien que le trafic généré soit faible, ces paquets maintiennent le module radio actif et augmentent la consommation d\'énergie. lt;pgt; Malheureusement, la configuration du keepalive ne peut pas être changé sur le client, seul l\'administrateur du réseau OpenVPN peut le faire. En effet, utiliser une période de keepalive supérieure à 60 secondes pose problème pour les réseaux UDP et les passerelles NAT qui ferment alors la connexion (mes tests ont mis en évidence un timeout de 60s). L\'usage de TCP et d\'une plus longue periode de keepalive est possible mais présente les inconvénient lié aux connexion TCP encapsulées (cf., site en anglais: lt;a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\"gt;Why TCP Over TCP Is A Bad Idelt;/agt;)" La fonctionnalité de Tethering Android (sur WiFi, USB ou Bluetooth) et l\'API VPNService (utilisé par ce programme) ne fonctionnent pas ensemble. Pour plus de détails, voir la <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\" > page #34 </a> VPN et Tethering + "Tentatives de connexion" + "Paramètres de reconnexion" + "Nombre de secondes d\'attente entre chaque tentative de connexion." + "Temps, en secondes, entre deux connexions" diff --git a/res/values-it/strings.xml b/res/values-it/strings.xml index e34665b2..63b92df8 100755 --- a/res/values-it/strings.xml +++ b/res/values-it/strings.xml @@ -5,7 +5,7 @@ Indirizzo server: Porta del server: Posizione - La cartella non può essere letta! + Impossibile leggere la directory Seleziona Annulla Nessun dato @@ -15,9 +15,8 @@ Chiave del certificato client File PKCS12 Certificato CA - Nessuna selezione - Il codice sorgente e il bug tracker sono disponibili all\'indirizzo http://code.google.com/p/ics-openvpn/ - Il programma utilizza i seguenti componenti. Fare riferimento al sorgente per tutti i dettagli relativi alle licenze + Devi selezionare un certificato + Questo programma usa i seguenti componenti; guarda il codice sorgente per i dettagli completi sulle licenze Informazioni Informazioni su OpenVPN per Android Elenco connessioni VPN configurate @@ -25,28 +24,25 @@ Tipo Password PKCS12 Seleziona… - Nulla selezionato + Devi selezionare un file Usa autenticazione TLS Direzione TLS Inserire l\'indirizzo IPv6 e la maschera di rete in formato CIDR (ad esempio 2000:dd::23/64) Inserire l\'indirizzo IPv4 e la maschera di rete in formato CIDR (ad esempio 1.2.3.4/24) Indirizzo IPv4 Indirizzo IPv6 - Inserire le opzioni personalizzate di OpenVPN. Utilizzare con attenzione. Si ricorda che molte delle impostazioni relative a OpenVPN non sono attualmente supportate da progetto. Se pensate che qualcuna di queste sia indispensabile, contattare l\'autore Utente Password - Per la configurazione statica le chiavi TLS di autenticazione saranno utilizzate come chiavi statiche. + Per la configurazione statica le chiavi di autorizzazione TLS saranno usate come chiavi statiche Configura la VPN Aggiungi profilo Immettere un nome per identificare il nuovo profilo - Nome del profilo duplicato + Si prega di inserire un nome univoco del profilo Nome del profilo - Nessun certificato utente selezionato. + Devi selezionare un certificato utente Nessun errore trovato Errore nella configurazione Impossibile analizzare l\'indirizzo IPv4 - Non è possibile analizzare le informazioni di routing personalizzate - Lasciare vuoto perché venga richiesta ad ogni avvio Collegamento a OpenVPN Connetti alla VPN Profilo indicato nel collegamento non trovato @@ -54,14 +50,14 @@ Aggiunge 6 caratteri casuali prima dell\'hostname Abilita le opzioni personalizzate Specifica opzioni personalizzate. Utilizzare con cautela! - \"Reindirizzamento (route)\" rifiutato da Android + Reindirizzamento (route) rifiutato da Android Scollega Cancella registro - Annulla conferma - Disconnetti la VPN in uso/annulla il tentativo di connessione? + Conferma l\'annullamento + Disconnetti la VPN in uso/annulli il tentativo di connessione? Rimuovi VPN Controlla se il server utilizza un certificato Server TLS - Ad eccezione del server TLS + Eccezioni del server TLS Controlla il certificato del server remoto CN confrontandolo con una stringa Verifica il certificato dell\'Host Inserisci una stringa con cui controllare il server remoto. OpenVPN controllerà che il prefisso corrissponda. Ad esempio \"Server\" riconosce validi \"Server-1\" e \"Server-2\".\nLasciare vuoto se si desidera controllare il nome dell\'host remoto CN con il nome del server. @@ -79,7 +75,7 @@ Server DNS Server DNS secondario utilizzato se il Server DNS primario non può essere raggiunto. Server DNS secondario - Ignora gli instradamenti dati dal server + Ignora gli instradamenti Ignora impostazioni di routing comunicate dal server. Reindirizza tutto il traffico sulla VPN Utilizza il Routing di default @@ -90,9 +86,9 @@ Consenti che il server possa cambiare indirizzo IP (modalità float) Opzioni personalizzate Modifica impostazioni VPN - Rimuovere il profilo VPN %s? + Rimuovere il profilo VPN \'%s\'? In alcune immagini ICS personalizzate i permessi su /dev/tun potrebbero essere errati, oppure il modulo TUN completamente assente. Per le immagini CM9 provare a correggere le opzioni Proprietà nella sezione impostazioni generali - Apertura dell\'interfaccia tun non riuscita. + Impossibile accedere all\'interfaccia tun "Errore:" Azzera Info @@ -106,7 +102,6 @@ Ottenute le informazioni sulle interfacce %1$s e %2$s, assumendo che il secondo indirizzo sia il peer remoto. Utilizzata la maschera /32 per l\'IP locale. La modalità impostata da OpenVPN è \"%3$s\". Impossibile utilizzare %1$s e %2$s come reindirizzamenti IP con la maschera CIDR, è stata quindi usata la maschera /32. Instradamento %1$s/%2$s corretto con %3$s/%2$s - Impossibile accedere ai certificati della Keychain di Android (può essere causato da un aggiornamento del firmware o dal ripristino di un backup dell\'applicazione o delle sue impostazioni). E\' necessario modificare le impostazioni della VPN e riselezionare il certificato nelle impostazioni di base per ricreare i permessi di accesso al certificato. %1$s %2$s Invia il file di log Invia @@ -114,8 +109,7 @@ Voce di registro copiata negli appunti Modalità TAP La modalità TAP non è disponibile con le VPN API non root - Ancora? Stai scherzando? La modalità TAP non è realmente supportata ed inviare ulteriori richieste via mail di sicuro non aiuta! - Per la terza volta? In realtà si potrebbe scrivere un emulatore TAP basato su TUN che aggiunge le informazioni di Layer 2 in uscita e le elimina in ingresso. Ma questo emulatore TAP dovrebbe anche implementare ARP e un client DHCP. Non sono a conoscenza di nessuno che stia realizzando qualcosa del genere. Contattami se vuoi iniziare a scrivere del codice a riguardo. + Ancora? Stai scherzando? No, la modalità tap non è supportata e mandare nuove email chiedendo se sarà supportata non aiuterà. Domande frequenti (FAQ) Domande più frequenti e qualche consiglio Sto copiando le voci di log @@ -123,7 +117,7 @@ Usa il tasto hardware Menù se non è visibile nella GUI. Scorciatoia per l\'avvio È possibile inserire un collegamento per avviare OpenVPN sul desktop. A seconda del vostro launcher dovrete aggiungere un collegamento o un widget. - La tua immagine non supporta le API VPNService, mi dispiace :( + La tua immagine non è supportata dal VPNService API, mi dispiace :( Crittografia Inserire il metodo di crittografia Inserisci la chiave di cifratura per OpenVPN. Lascia vuoto per usare la chiave di cifratura predefinita @@ -143,7 +137,6 @@ Usa il tasto hardware Menù se non è visibile nella GUI. Tentativo di lettura del file: %1$s Impossibile trovare il file %1$s menzionato nel file di configurazione importato Importa il file di configurazione dalla sorgente %1$s - La tua configurazione ha avuto alcune opzioni che potevano essere analizzate. Queste opzioni sono state aggiunte come opzioni di configurazione aggiuntive. Le opzioni di configurazione aggiuntive sono visionabili qui sotto: Effettuata la lettura del file di configurazione Non legarti all\'indirizzo e alla porta locali (bind) @@ -174,8 +167,7 @@ nel bug tracker).</p><p>Si è visto che ai firmware ufficiali della Correggi i diritti su /dev/tun Mostra il file di configurazione di OpenVPN generato Modifica \"%s\" - Configurazione dell\'edificio... - Selezionando questa opzione verrà forzata una riconnessione se lo stato della rete cambia (da WIFI a cellulare e viceversa) + Configurazione in corso... Riconnetti in caso cambi la rete Ottenuto il certificato \'%s\' dal Keystore Stato della rete: %s @@ -192,15 +184,15 @@ nel bug tracker).</p><p>Si è visto che ai firmware ufficiali della Avviso di connessione e notifica audio Traduzione in inglese di Arne Schwabe<arne@rfc2549.org> IP e DNS - Base + Principali Instradamento (routing) - Offusca le impostazioni di OpenVPN. Normalmente non necessario. + Impostazioni complesse di OpenVPN. Normalmente non necessarie. Avanzate Configurazione OpenVPN ICS Nessun server DNS in uso. La risoluzione dei nomi potrebbe non funzionare. Valuta se inserire dei server DNS personalizzati. Impossibile aggiungere il server DNS \"%1$s\", respinto dal sistema: %2$s - <p>Ottieni una configurazione funzionante (testata sul tuo computer o fornita dal tuo provider o dalla tua ditta)</p><p>Se si tratta di un singolo file senza ulteriori file tipo pem/pkcs12 puoi spedire il file a te stesso via email ad aprire l\'allegato. Se hai più file, salvali sulla scheda SD.</p><p>Clicca sull\'allegato dell\'email/Utilizza l\'icona della cartella nell\'elendo delle VPN per importare il file di configurazione</p><p>Se compaiono degli errori relativi a file non trovati, metti i file mancanti sulla tua scheda SD.</p><p>Clicca sull\'icona di salvataggio per aggiungere la VPN importata nell\'elenco delle tue VPN</p><p>Connettiti alla VPN cliccando sul nome della VPN</p><p>Se compaiono degli errori o degli avvertimenti nei log, si consiglia di non ignorarli, ma di cercare delle soluzioni</p> - Avvio rapido + <p>Ottieni una configurazione funzionante (testata sul tuo computer o fornita dal tuo provider o dalla tua ditta).</p><p>Se si tratta di un singolo file senza ulteriori file tipo pem/pkcs12, puoi spedire il file a te stesso via email ad aprire l\'allegato. Se hai più file, salvali sulla scheda SD.</p><p>Clicca sull\'allegato dell\'email oppure utilizza l\'icona della cartella nell\'elendo delle VPN per importare il file di configurazione.</p><p>Se compaiono degli errori relativi a file non trovati, copia i file mancanti sulla tua scheda SD.</p><p>Clicca sull\'icona di salvataggio per aggiungere la VPN importata nell\'elenco delle tue VPN.</p><p>Connettiti alla VPN cliccando sul nome della VPN.</p><p>Se compaiono degli errori o degli avvertimenti nei log, si consiglia di non ignorarli, ma di cercare delle soluzioni.</p> + Guida rapida Prova a caricare il modulo tun.ko prima di connettersi. Si devono avere diritti di root sul dispositivo. Carica il modulo tun Importa i PKCS12 dalla configurazione presente nel Keystore di Android @@ -216,8 +208,8 @@ nel bug tracker).</p><p>Si è visto che ai firmware ufficiali della Le modifiche sarannoi applicate dopo aver riavviato la connessione VPN. Riavviare ora la connessione? Configurazione modificata Impossibile determinare l\'ultimo profilo con cui ci si è connessi per poterlo modificare - Duplica le notifiche - Normalmente se la memoria di sistema (RAM) di Android è insufficiente, i programmi ed i servizi che non sono in quel momento necessari vengono rimossi dalla memoria attiva. Questo terminerebbe una connessione VPN in corso. Per far sì che conessione OpenVPN resti in funzione, il servizio viene eseguito in priorità alta e per questo deve mostrare un\'icona nella barra delle notifiche. L\'icona di notifica è imposta dal sistema come descritto nella precedente voce delle FAQ. Non vale però come notifica del programma per lo scopo di venire eseguita con priorità alta. + Doppie notifiche + Normalmente, se la memoria di sistema (RAM) di Android è insufficiente, i programmi ed i servizi che non sono in quel momento necessari vengono rimossi dalla memoria attiva. In questo caso la connessione VPN in corso sarebbe terminata. Per far sì che la conessione OpenVPN resti in funzione, il servizio viene eseguito in priorità alta e per questo motivo appare un\'icona permanente nella barra delle notifiche. L\'icona di notifica a forma di chiave è invece imposta dal sistema come descritto nella precedente voce delle FAQ e non serve a far eseguire il programma con priorità alta. Nessun profilo VPN definito. Usa l\'icona <img src=\"ic_menu_add\"/> per aggiungere una nuova VPN Usa l\'icona <img src=\"ic_menu_archive\"/> per importare il profilo (.ovpn o .conf) dalla tua scheda SD. @@ -231,7 +223,6 @@ nel bug tracker).</p><p>Si è visto che ai firmware ufficiali della Log di OpenVPN Importa configurazione OpenVPN Consumo della batteria - Nei test eseguiti da me in persona, la causa principale di un elevato consumo di batteria durante il funzionamento di OpenVPN erano i pacchetti per il mantenimento della connessione (keepalive packets). La maggior parte dei server OpenVPN sono configurati con l\'impostazione \'keepalive 10 60\' che corrisponde ad un pacchetto per il mantenimento della connessione dal client al server e dal server al client ogni 10 secondi. <p> Nonostante questi pacchetti siano piccoli e non causino molto traffico, questi tengono impegnata la rete cellulare ed aumentano il consumo della batteria. <p> Questa impostazione del keepalive non può essere impostata sul client. Solo l\'amministratore di sistema della rete OpenVPN a cui ci si vuole connettere può modificare questa impostazione. <p> Sfortunatamente, se si usa un keepalive maggiore di 60 secondi con reti OpenVPN in UDP, si riscontrano dei problemi con alcuni gateway NAT, i quali terminano la connessione dopo dei timeout relativamente brevi (60 secondi nei miei test). Se invece si usa un keepalive maggiore con una VPN in TCP, questo problema non si presenta, ma bisogna fare i conti col problema del TCP over TCP (vedi <a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">Why TCP Over TCP Is A Bad Ide</a>). Il Tethering di Android (via WiFi, USB o Bluetooth) e le API del servizio VPN (utilizzate da questo programma) non possono funzionare contemporaneamente. Per maggiori informazioni, <a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">vedi qui#34</a> VPN e Tethering diff --git a/res/values-ja/strings.xml b/res/values-ja/strings.xml index 7bcdd61c..57d7fd8d 100755 --- a/res/values-ja/strings.xml +++ b/res/values-ja/strings.xml @@ -5,7 +5,7 @@ サーバアドレス ポート番号 場所 - フォルダが読み取れません + ディレクトリが読み取れません 選択 キャンセル データなし @@ -15,7 +15,7 @@ クライアント証明書のキー PKCS12ファイル CA 証明書 - 選択なし + 証明書を選択する必要があります。 ソースコードと問題管理は以下で: http://code.google.com/p/ics-openvpn/ プログラムは、次のコンポーネントを使用します。完全な詳細についてはソース上のライセンスを参照してください。 バージョン情報 @@ -25,7 +25,7 @@ 種別 PKCS12のパスワード 選択 - 選択なし + ファイルを選択する必要があります。 TLS認証を使用します。 TLS Direction IPv6アドレスをCIDR形式で入力(例:2000:dd::23/64) @@ -41,11 +41,11 @@ 新しいプロファイルを識別する名前を入力します プロファイル名が重複しています。 プロファイル名 - ユーザー証明書が選択されていません。 + ユーザー証明書を選択する必要があります。 エラーは見つかりませんでした。 設定に誤りがあります。 - IPv4 アドレスを解析できません。 - カスタムの経路情報を解析することができません。 + IPv4 アドレスの解析エラー + カスタム経路の解析エラー 必要に応じて入力するには空欄にしてください OpenVPN のショートカット VPNに接続 @@ -262,12 +262,20 @@ VPNService APIを使用してサーバに接続するアプリケーションは OpenVPN のログ OpenVPN の構成のインポート バッテリー消費量 - 個人的な検証では、OpenVPNがバッテリを多く消費する主な原因はkeepaliveパケットです。 -大部分のOpenVPNサーバは\'keepalive 10 60\'のような設定を持っており、これは10秒ごとにサーバとクライアントで相互にkeepaliveパケットを送信しあうことを意味します。 -<p> これらのパケットは小さく多くの帯域は使用しませんが、モバイル回線機能を常に稼動させ続け電力消費を増大させます。 -<p> このkeepalive設定はクライアント側からは変更できません。OpenVPNのシステム管理者のみが変更可能です。 -<p> 残念なことに、60秒より大きな間隔のUDP keepaliveはいくつかのNATゲートウェイにおいては接続状態が維持できず、それより短い時間でタイムアウトします。(検証では60秒) -TCP keepaliveと長いタイムアウト時間は動作しますが、TCP over TCP問題を引き起こします。(詳細は<a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">なぜTCP over TCPは悪いアイディアなのか</a>を参照) + 私の個人的な検証では、OpenVPNの高いバッテリ消耗の主要因はkeepaliveパケットです。 +大半のOpenVPNサーバは\'keepalive 10 60\'のような設定を持っており、これは10秒ごとにクライアントとサーバで相互にkeepaliveパケットを送ることを意味します。 +<p> これらのパケットは小さく、大きな帯域は要しませんが、通信機能を稼働させ続け電力消費を増大させます。 +<p> このkeepaliveの設定はクライアント側からは変更できません。システム管理者のみがOpenVPNの設定を変更できます。 +<p> 残念ながら60秒より大きなkeepaliveの間隔は、いくつかのNATゲートウェイにおいては接続状態が維持できずそれより短い間隔でタイムアウトします。(私の検証では60秒) +TCPモードと長めのkeepaliveタイムアウトは動作しますが、しかしTCP over TCP問題を引き起こします。(<a href=\"http://sites.inka.de/bigred/devel/tcp-tcp.html\">TCP over TCPは何故悪いのか</a>を参照) + Androidのテザリング機能(WiFi, USB, Bluetooth経由)とVPNService API(このプログラムから使用する機能)は同時に利用できません。詳細については<a href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a>を参照 VPN とテザリング + 接続の再試行 + 再接続の設定 + 再接続を試行する際の間隔(秒) + 接続間隔(秒) + OpenVPN は予期せず終了しました。メイン メニューでミニダンプの送信オプションを検討してください。 + ミニダンプを開発者に送信 + 最後にクラッシュした時のデバッグ情報を作者に送信します。 diff --git a/res/values-nl/strings.xml b/res/values-nl/strings.xml index 40140e99..5403ae06 100755 --- a/res/values-nl/strings.xml +++ b/res/values-nl/strings.xml @@ -5,7 +5,6 @@ Server Adres: Server Poort: Locatie - map onleesbaar! Selecteer Annuleer Geen Gegevens @@ -15,9 +14,6 @@ Client Certificaat Sleutel PKCS12 Bestand CA Certificaat - Niets geselecteerd - Broncode en probleem tracker zijn beschikbaar via http://code.google.com/p/ics-openvpn/ - Het programma gebruikt de volgende componenten. Zie de broncode voor volledige details over de licenties Over Over OpenVPN voor Android Lijst van alle geconfigureerde VPN verbindingen @@ -25,7 +21,6 @@ Type PKCS12 Wachtwoord Selecteer… - Niets Geselecteerd Gebruik TLS autentificatie TLS Richting Voer een IPv6 Adres/Netmask in met het CIDR Formaat (v.b. 2000:dd::23/64) @@ -34,17 +29,12 @@ IPv4 Adres Gebruikersnaam wachtwoord - Voor de statische configuratie worden de TLS Auth keys als statische keys gebruikt. VPN configureren Profiel toevoegen Voer een naam in voor het nieuwe Profiel - Dubbele Profielnaam Profiel name - Geen Gebruikerscertificaat geselecteerd. Geen fout. Fout in de configuratie - Het IPv4 adres is foutief - De aangepaste route is foutief Open VPN shortcut Met VPN verbinden Het profiel zoals aangegeven in de snelkoppeling kon niet gevonden worden. @@ -81,8 +71,6 @@ Zwevende server toestaan Aangepaste Opties VPN Instellingen Bewerken - Verwijder het VPN Profiel %s? - Het openen van de tun interface ging verkeerd. "Fout:" Leeg maken info @@ -98,7 +86,6 @@ Verzenden Tap mode De VPN API van Android werkt zonder rooten van de telefoon en ondersteunt alleen de tun modus. Daarom is de tap modus niet mogelijk met deze app. - Alweer dit? Serieus? Nee, de tap modus kan écht niet gebruikt worden. Het helpt ook niet om mij met de vraag wanneer dit wél mogelijk is te mailen. configuratie bestand importeren Beveiligingsoverwegingen Importeren diff --git a/res/values-zh-rCN/strings.xml b/res/values-zh-rCN/strings.xml index 9bf73221..c6ea7198 100755 --- a/res/values-zh-rCN/strings.xml +++ b/res/values-zh-rCN/strings.xml @@ -5,7 +5,7 @@ 服务器地址: 服务器端口: 地点 - 无法读取文件夹! + 无法读取目录 选择 取消 无数据 @@ -15,7 +15,7 @@ 客户端证书密钥 PKCS12 文件 CA 证书 - 无证书 + 您必须选择一个证书 请前往 http://code.google.com/p/ics-openvpn/ 源码或提供问题反馈 本程序使用以下组件,请在 Licenses 查看源码获取更详细内容。 关于 @@ -25,26 +25,21 @@ 类型 PKCS12 密码 选择 - 未选择任何项 + 您必须选择一个文件 使用 TLS 认证 TLS 方向 输入 CIDR 格式 IPv6 地址/子网掩码(例如:2000:dd::23/64) 输入 CIDR 格式 IPv4 地址/子网掩码(例如:1.2.3.4/24) IPv4 地址 IPv6 地址 - 输入自定义 OpenVPN 选项 用户名 密码 配置 VPN 添加配置文件 输入新配置文件名: - 配置文件名已存在 配置文件名 - 未选用户证书。 未找到错误 配置有错误 - 无法解析 IPv4 地址 - 无法解析自定义路由 OpenVPN 快捷方式 连接到 VPN 未找到快捷方式中指定的配置文件 @@ -83,7 +78,6 @@ 允许浮服务器 自定义选项 编辑 VPN 设置 - 删除 VPN 配置文件 %s 吗? 错误 清除 信息 diff --git a/res/values-zh-rTW/strings.xml b/res/values-zh-rTW/strings.xml index 5635144c..595f53ec 100755 --- a/res/values-zh-rTW/strings.xml +++ b/res/values-zh-rTW/strings.xml @@ -5,7 +5,7 @@ 伺服器地址: 伺服器端口: 位置 - 無法讀取目錄! + 目法讀取檔案目錄 選擇 取消 沒有資料 @@ -15,20 +15,24 @@ 客戶端證書密碼 PKCS12 檔案 CA證書 - 未有選擇任何 + 您必須選擇一個憑證 + 取得原始碼與個案追蹤,可上 http://code.google.com/p/ics-openvpn/ + 本程序使用了以下元件,其作者和授權資訊如下 關於 關於 OpenVPN for Android + 列出所有已設置的VPN VPN設定檔 類型 PKCS12 密碼 選擇… - 未有選取任何 - 使用TLS防火牆 + 你必須選擇一個檔案 + 使用傳輸層防火牆(TLS-Auth) TLS方向 以CIDR格式輸入IPv6地址/遮罩(例如 2000:dd::23/64) 以CIDR格式輸入IPv4地址/遮罩(例如 1.2.3.4/24) IPv4地址 IPv6地址 + 使用自訂的OpenVPN選項,請加倍緊慎。請注意因Android API限制,很多與Tun相關的OpenVPN設定皆無法正常使用。如果你認為我們遺忘了重要的OpenVPN選項,請向作者反映。 用戶名稱 密碼 設定VPN @@ -36,89 +40,153 @@ 輸入新的設定檔名稱 重複的設定檔名稱 設定檔名稱 - 沒有選取任何的使用者證書。 + 你必須選取一個使用者證書 未有找到錯誤 設定中含有錯誤 - 無法解析IPv4地址 - 無法解析自訂路由 + 解析IPv4地址時發生錯誤 + 解析自訂路由時發生錯誤 OpenVPN捷徑 連接到VPN 在快捷方式找不到指定的設定檔 + 隨機主機名稱字首 在主機名稱前加入6個隨機字符 啟用自訂選項 + 自訂選項,使用時請小心! + 路由被Android拒絕 斷線 清除記錄檔 + 確認取消 移除VPN + 檢查對方出示的是否TLS伺服器憑證 + 預期對方出示TLS伺服器憑證 + 檢查遠端伺服器所出示的證書的CN欄位是否特定字串 遠端主機名稱(CN) + 啟用傳輸層防火牆(TLS-Auth) TLS驗證檔 + 向伺服器請求IP地址, 路由和時間資訊 + 接受設定推送(Pull) DNS + 忽略伺服器提供的DNS設定 使用自訂的DNS伺服器 搜索網域 要使用的DNS伺服器。 DNS伺服器 + 當主要DNS伺服器無法使用,就會嘗試備用DNS伺服器 後備VPN伺服器 + 忽略伺服器推送的路由 + 忽略從伺服器推送的路由。 重定向所有流量到VPN - 使用預設路由 + 使用VPN作為預設閘道 + 以CIDR格式輸入目的地路由,例如\"10.0.0.0/8 2002::/16\",以上兩個路由將導向到VPN。 自訂路由 記錄的詳細級別 + 只要能夠經過驗證,接受從任何IP地址而來的伺服器訊息 + 容許浮動的伺服器 自訂選項 編輯VPN設定 要移除VPN設定檔 %s 嗎? + 一些自訂的Android4.0 ROM存在/dev/tun的擁有者權限問題,甚至完全沒有Tun模組。CM9用家請嘗試於\"全域設置\"下修正Tun擁有者。 + 無法開啟Tun網絡介面 "錯誤: " 清除 資訊 + 顯示連線的詳細資訊 本地IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d DNS伺服器: %s DNS網域: %s 路徑: %s IPv6路由: %s %1$s %2$s - 傳送記錄檔 - 傳送 + 分享記錄檔 + 分享 ICS OpenVPN 記錄檔 + 已將記錄複製到剪貼簿 Tap模式 + Android內置的VPN API並不支援Tap介面,故此本程序並不支援Tap模式。 FAQ + 經常會被問到的問題和一些建議 + 複製記錄檔條目 + 以快捷方式啟動 + 你的Android ROM不支援VPN服務API,抱歉了。 :( 加密 輸入加密方法 + 輸入OpenVPN加密方法,留空則使用預設 驗證/加密 檔案瀏覽器 + 內嵌檔案 匯入 匯入過程中發生錯誤 無法從檔案系統中匯入檔案 + <內嵌於設定檔> + 匯入.ovpn檔案 匯入 + 匯入過程中無法讀取設定檔 + 讀取設定檔時發生錯誤 新增設定檔 正嘗試讀取檔案: %1$s + 成功讀取設定檔 + 不要綁定本地地址和端口 沒有本地綁定 + 匯入設定檔 保安上的考慮 匯入 IPv4 IPv6 + 等待狀態訊息... 使用者名稱不能為空。 PKCS12檔加密金鑰 私密金鑰密碼 密碼 檔案圖標 - TLS防火牆 - 常規設置 + 傳輸層防火牆(TLS Firewall) + 生成的設定檔 + 全域設置 + 嘗試修正/dev/tun擁有者權限。已知有些CM9 ROM需要透過這個來才能使得VPN服務API得以運作。本功能需要Root。 修正 /dev/tun 的擁有者 + 顯示本程序生成的設定檔 正在編輯\"%s\" 正在生成設定檔… + 當網絡狀況變更時強制重新連接(例如從WiFi變成手機網絡,反之亦然) + 網絡異動時重新連接 網絡狀態: %s 選擇 顯示記錄視窗 顯示流量狀態 - 繁體中文 由 羊羊<sora8964@gmail.com> 翻譯 + 於 %1$s (%2$s) %3$s 上運行, Android API 版本: %4$d + 連線警告和通知時發出音效 + 繁體中文 由 羊羊@自由網絡研究中心 <sora8964@gmail.com> 翻譯 IP和DNS 基本 路由 + 鮮為人知的OpenVPN設定,一般情況下不需要派上用場。 進階 ICS Openvpn 設定 + 沒有任何DNS伺服器可用,可能無法進行網域名稱解析。請考慮設置自訂的DNS伺服器 快速入門 + 在連線前嘗試載入Tun模組,需要Root。 載入Tun模組 + 取得代理伺服器資訊時發生錯誤: %s + 使用代理伺服器 %1$s %2$d 使用系統代理 + 使用系統配置的 HTTP/HTTPS 代理伺服器進行連接。 你可以透過 <a href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&amp;cmd=_s-xclick\">PayPal</a> 提供捐助 - 重新開機時重新連接 + 如果在重新開機或關機前正連接VPN,開機時自動重新連接。在使用這個選項之前請先閱讀連線警告FAQ。 + 開機時重新連接 忽略 重置 + 配置變更只會在重新啟動VPN時才生效,現在要(重新)啟動VPN嗎? + 設定已變更 + 重複的通知 路由/網絡介面 設定 + 翻譯 + OpenVPN 運作記錄 + 匯入 OpenVPN 配置 + 電池消耗 + VPN與可攜式無線基地台 + 連線重試次數 + 嘗試重新連線之間的等待秒數 + 重新連接間隔時間 + OpenVPN非預期地崩潰,你或者會考慮在主選單下傳送Minidump給開發人員。 + 向開發人員傳送Minidump + 將最後一次崩潰的除錯資訊傳送給開發人員 diff --git a/res/values/strings.xml b/res/values/strings.xml index 762133c1..ab629a00 100755 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -140,7 +140,6 @@ Could not read Profile to import Error reading config file add Profile - Trying to read file: %1$s Could not find file %1$s mentioned in the imported config file Importing config file from source %1$s Your configuration had a few configuration options that could not be parsed. These options were added as custom configuration options. The custom configuration is displayed below: @@ -182,8 +181,6 @@ No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. Shows the log window on connect. The log window can always be accessed from the notification status. Show log window - Keep the notification displayed after the connection is established to show traffic statistics. - Show Traffic Statistics Running on %1$s (%2$s) %3$s, Android API %4$d Error signing with Android keystore key %1$s: %2$s The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumenvented. (On some images this unfortunely includes a notifciation sound) -- cgit v1.2.3 From 80d073d5fd79e0c57e33e708e6917e9f36c9bebc Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 25 Dec 2012 16:08:32 +0100 Subject: Added tag v0.5.28 for changeset 9ff0a312799b --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index 4e417218..667ff575 100644 --- a/.hgtags +++ b/.hgtags @@ -28,3 +28,4 @@ d356e8526528be9d800d83022aa8004c910fa407 v0.5.23 963a0716b027deaa7b00a5327165d3d130993aee v0.5.27 963a0716b027deaa7b00a5327165d3d130993aee v0.5.27 4b88cad1e252f6b1daf4a8dbb0ce8911604ba97a v0.5.27 +9ff0a312799b05c56f59f729496ac5ea484a841b v0.5.28 -- cgit v1.2.3