diff mbox series

[Openvpn-devel] Added client-ip to NAT config

Message ID CP2P152MB16680322F42D28AABF8A15EFA8210@CP2P152MB1668.LAMP152.PROD.OUTLOOK.COM
State Changes Requested
Headers show
Series [Openvpn-devel] Added client-ip to NAT config | expand

Commit Message

Kristof Provost via Openvpn-devel Sept. 16, 2020, 6:56 a.m. UTC 
Hello guys,

A couple years ago I submitted this patch which allows the user to set the 'client-ip' as a convenient way to use the leased IP address received from OpenVPN server in NAT configuration. For example:

client-nat snat client-ip 255.255.255.255 172.20.1.15

, where 'client-ip' string is replaced with the leased IP address received from OpenVPN server.

At that time, it was NACKED due to the fact that I was using both client-ip and localhost strings. So, it's changed now and I'd like to re-submit it again for appreciation.

Thanks

Gava

--------------------------------------------------------------------------------------------------------------------------------------

From cb56f9bd4acaf28a2af256eead009310d8ba063f Mon Sep 17 00:00:00 2001
From: Rafael Gava de Oliveira <Rafael.Oliveira@venturus.org.br>
Date: Sat, 12 Sep 2020 19:27:25 -0300
Subject: [PATCH] Allows the usage of the string 'client-ip' in the client-nat
network configuration in a way that is not necessary to inform the IP address
beforehand. Openvpn will set dynamically the received IP from DHCP.

Example:

                client-nat snat client-ip 255.255.255.255 172.20.1.15

Replaces the 'client-ip' string with the DHCP address received from
the openvpn server.

Signed-off-by: Rafael Gava de Oliveira <Rafael.Oliveira@venturus.org.br>
---
src/openvpn/clinat.c  | 45 ++++++++++++++++++++++++++++++++++++++++-----
src/openvpn/clinat.h  |  2 ++
src/openvpn/init.c    |  2 ++
src/openvpn/options.c |  2 +-
4 files changed, 45 insertions(+), 6 deletions(-)
mode change 100644 => 100755 src/openvpn/clinat.c

--
2.7.4

Comments

Gert Doering Sept. 16, 2020, 10:34 a.m. UTC | #1 
Hi,

On Wed, Sep 16, 2020 at 04:56:17PM +0000, Rafael Gava de Oliveira via Openvpn-devel wrote:
> A couple years ago I submitted this patch which allows the user to set the 'client-ip' as a convenient way to use the leased IP address received from OpenVPN server in NAT configuration. For example:

We now have two submissions for this - are they any different?

gert
Rafael Gava Sept. 16, 2020, 11:50 a.m. UTC | #2 
Ops, sorry. It's the same. I thought it was not sent to the group. :-)

BR

Gava

On Wed, Sep 16, 2020 at 5:35 PM Gert Doering <gert@greenie.muc.de> wrote:

> Hi,
>
> On Wed, Sep 16, 2020 at 04:56:17PM +0000, Rafael Gava de Oliveira via
> Openvpn-devel wrote:
> > A couple years ago I submitted this patch which allows the user to set
> the 'client-ip' as a convenient way to use the leased IP address received
> from OpenVPN server in NAT configuration. For example:
>
> We now have two submissions for this - are they any different?
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert@greenie.muc.de
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
<div dir="ltr">Ops, sorry. It&#39;s the same. I thought it was not sent to the group. :-)<div><br></div><div>BR</div><div><br></div><div>Gava</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 16, 2020 at 5:35 PM Gert Doering &lt;<a href="mailto:gert@greenie.muc.de">gert@greenie.muc.de</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On Wed, Sep 16, 2020 at 04:56:17PM +0000, Rafael Gava de Oliveira via Openvpn-devel wrote:<br>
&gt; A couple years ago I submitted this patch which allows the user to set the &#39;client-ip&#39; as a convenient way to use the leased IP address received from OpenVPN server in NAT configuration. For example:<br>
<br>
We now have two submissions for this - are they any different?<br>
<br>
gert<br>
-- <br>
&quot;If was one thing all people took for granted, was conviction that if you <br>
 feed honest figures into a computer, honest figures come out. Never doubted <br>
 it myself till I met a computer with a sense of humor.&quot;<br>
                             Robert A. Heinlein, The Moon is a Harsh Mistress<br>
<br>
Gert Doering - Munich, Germany                             <a href="mailto:gert@greenie.muc.de" target="_blank">gert@greenie.muc.de</a><br>
_______________________________________________<br>
Openvpn-devel mailing list<br>
<a href="mailto:Openvpn-devel@lists.sourceforge.net" target="_blank">Openvpn-devel@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/openvpn-devel" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/openvpn-devel</a><br>
</blockquote></div>
diff mbox series

Patch

diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c
old mode 100644
new mode 100755
index b08fd54..865b0e2
--- a/src/openvpn/clinat.c
+++ b/src/openvpn/clinat.c
@@ -128,12 +128,16 @@  add_client_nat_to_option_list(struct client_nat_option_list *dest,
         msg(msglevel, "client-nat: type must be 'snat' or 'dnat'");
         return;
     }
-
-    e.network = getaddr(0, network, 0, &ok, NULL);
-    if (!ok)
+    if (network && !strcmp(network, "client-ip"))
     {
-        msg(msglevel, "client-nat: bad network: %s", network);
-        return;
+        e.network = 0xFFFFFFFF;
+    } else {
+        e.network = getaddr(0, network, 0, &ok, NULL);
+        if (!ok)
+        {
+            msg(msglevel, "client-nat: bad network: %s", network);
+            return;
+        }
     }
     e.netmask = getaddr(0, netmask, 0, &ok, NULL);
     if (!ok)
@@ -276,3 +280,34 @@  client_nat_transform(const struct client_nat_option_list *list,
         }
     }
}
+
+/*
+* Replaces the client-ip token with the IP received from OpenVPN Server
+*/
+bool
+update_client_ip_nat(struct client_nat_option_list *dest, in_addr_t local_ip)
+{
+    int i;
+    bool ret = false;
+
+    if (!dest)
+        return ret;
+
+    for (i=0; i <= dest->n; i++)
+    {
+        struct client_nat_entry *nat_entry = &dest->entries[i];
+        if (nat_entry && nat_entry->network == 0xFFFFFFFF)
+        {
+            struct in_addr addr;
+
+            nat_entry->network = ntohl(local_ip);
+            addr.s_addr = nat_entry->network;
+            char *dot_ip = inet_ntoa(addr);
+
+            msg (M_INFO, "Updating NAT table client-ip to: %s", dot_ip);
+            ret = true;
+        }
+    }
+
+    return ret;
+}
diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h
index eec7a03..c2941b9 100644
--- a/src/openvpn/clinat.h
+++ b/src/openvpn/clinat.h
@@ -64,4 +64,6 @@  void client_nat_transform(const struct client_nat_option_list *list,
                           struct buffer *ipbuf,
                           const int direction);
+bool update_client_ip_nat(struct client_nat_option_list *dest, in_addr_t local_ip);
+
#endif /* if !defined(CLINAT_H) */
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a785934..8d6f9a8 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1920,6 +1920,8 @@  do_open_tun(struct context *c)
                               SET_MTU_TUN | SET_MTU_UPPER_BOUND);
     }
+    update_client_ip_nat(c->options.client_nat, c->c1.tuntap->local);
+
     ret = true;
     static_context = c;
#ifndef TARGET_ANDROID
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8bf82c5..26f11fa 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -231,7 +231,7 @@  static const char usage_message[] =
     "                   ICMPv6 host unreachable messages on the client.\n"
     "                   (Server) Instead of forwarding IPv6 packets send\n"
     "                   ICMPv6 host unreachable packets to the client.\n"
-    "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
+    "--client-nat snat|dnat network|'client-ip' netmask alias : on client add 1-to-1 NAT rule.\n"
     "--push-peer-info : (client only) push client info to server.\n"
     "--setenv name value : Set a custom environmental variable to pass to script.\n"
     "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"