From patchwork Thu Feb 20 19:48:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael Gava X-Patchwork-Id: 4156 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9501:b0:5e7:b9eb:58e8 with SMTP id b1csp267318mai; Thu, 20 Feb 2025 11:48:51 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWUOledOZX/1nQeefJBh4fcuNr4MkT4OrCETUX+mw8VvSuWsJuei/acEr9HgUoAe2HmDi+mBlOn+jg=@openvpn.net X-Google-Smtp-Source: AGHT+IE9YcByEqqyLEGU4QmWt2Z0YHujws2eiWXD0+iDbmDLnbDLO92IHnXZ1kU9OaTkSSxN25M9 X-Received: by 2002:a05:6e02:1c89:b0:3d0:4e2b:9bbb with SMTP id e9e14a558f8ab-3d2caf19fe2mr3994415ab.21.1740080931023; Thu, 20 Feb 2025 11:48:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740080931; cv=none; d=google.com; s=arc-20240605; b=P6MQQwN2QitLvNrfGM3pDdGW8mtRXLt7okD/fI8/suiQNwCXS60TZEncdi/ltS/TIa 3W1btwMiHQmT9B7Vr284qSeyAUkqty+whWn5IcxFyeMoOBFZEPoH7gfOwHfPYvO8K5Ik VJjv4M2wMmX+okJF/4CspiHjx0ICr0W6/3ObxOqnablai64auBIZUcgGJxqHJiQ5uwS+ zIyY1LqooU/VzpIc8AYlKc9zmMhnY7aVQrvQ+6J2TZWz/UVxRvxYEaBVzR3iHk8oFBEP 0+HOQ+ekN85uHCv1EWbdrJ/vn03ilHht7sKUXv1lkNdBrOG8MeC6wlq09mIOGUdK8IZI NGaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:to:message-id:date:from :mime-version:dkim-signature:dkim-signature:dkim-signature; bh=XdrVcAg8i2BnrSrWgfrA0Xr25TvMZ5Zl0LiBSUZj2Qg=; fh=UWlByhJXNGJKzcJ5WmyoA1tw5ugXp4S86SRVYqcTfsM=; b=PRZxuhI85KncRy/D0eJhhFP94kQmAYFANgaGotQXZPXqUpuRrPiFKDbpsN1H/klRM4 YUA/LD7Rh/Pz9Is9woKJeuRm1XMeikH0kaYUonGkkHMoVmFC6dnchZQemL1kAbvZVC0Q zX9syL+LSiHf/kcZ/MHySdUAbISIFakJscimnUzEGmRs63uuUHI1ossF9gHVHqhe/Jid pDQ48w0u6WwEf+BMXqjQC+bqL1fFVy1p0hy7LrgTADB7hixAWclt+B2ba+76qGChvnnD Ue4/fl2DUNUFeWbNdqrcEzE/TUmwC2N97VrTmEPEKQQg7oflACVcSV3pXjqE99xjcx0D eG7A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ub+SfIlv; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Hj5qrQvc; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=d2bjYXTp; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e9e14a558f8ab-3d2aeda4b5fsi69074665ab.144.2025.02.20.11.48.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Feb 2025 11:48:50 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ub+SfIlv; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Hj5qrQvc; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=d2bjYXTp; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tlCXO-0006kJ-GC; Thu, 20 Feb 2025 19:48:46 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tlCXN-0006kC-9E for openvpn-devel@lists.sourceforge.net; Thu, 20 Feb 2025 19:48:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:To:Subject:Message-ID:Date:From: MIME-Version:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Dr8m2pSTjV91Z+d07BJ850LcWakc58FFN++VoQ2vOw8=; b=Ub+SfIlv9mjvT/pjVT/5DQL8eZ FhxkbYDptWyuUnKRhKHVaLw2xhIjoE8cGHP6fXx04BKDkcHql3r6JZjpd9GwihCcBfJvrKTSIEM3L niLwHDRxxX+R2Kig6Mg+7xPOsE8w9ETueQBTfJY22fTOPBNXrh8FwG0IxbjwEUf4S7o8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:To:Subject:Message-ID:Date:From:MIME-Version:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Dr8m2pSTjV91Z+d07BJ850LcWakc58FFN++VoQ2vOw8=; b=H j5qrQvcnhDXwMIaHg4TfTb3b2RWxr1UUxzoPP+WoGt8q/qP1DnPyaqfXgPLZSN2RgPVnSa/iT1Mct 8MEZG/IUoXV419PcCF2h3u3/reyqpWyrEHHwNegdai7xP5diWXtCra7+hHg+9K+NdY+woD4s6m9TO V/kYRft0Vdd4kV2k=; Received: from mail-lj1-f177.google.com ([209.85.208.177]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tlCXM-0004nm-3B for openvpn-devel@lists.sourceforge.net; Thu, 20 Feb 2025 19:48:45 +0000 Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-30227c56b11so12695221fa.3 for ; Thu, 20 Feb 2025 11:48:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740080917; x=1740685717; darn=lists.sourceforge.net; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Dr8m2pSTjV91Z+d07BJ850LcWakc58FFN++VoQ2vOw8=; b=d2bjYXTp1s8PPEy55N8N+Ghib9Sog4e3LxA0lrGJDlFu7GCVr/S313Ym0CrwkKfBEZ z4j+uGxVPx+M/PoE/QkD1my0EJV4aGmZLv313Ht0+p/m+tQutXqouzXsSB3S+8cpihV5 Kg1P8OheAr/TcfLzB+lC58+6zKfaVioaXuaM577+/9MCkzI91uMVoLljnAsUFefgOGQ6 GUNTY6xYJDQ1PVAaS4ASOBJkMzmwsRyc/Yn1qLDKsvkdsHuljKb0khz1OZhQmCgFgX9E Okr/J1QG0FJz+GK/d6w1zrTWlzYSUkeKB3ZZxnsrMbYSqhUUO1V6qcfcyC8tPYw9IEpe TQ1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740080917; x=1740685717; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Dr8m2pSTjV91Z+d07BJ850LcWakc58FFN++VoQ2vOw8=; b=Psnjq9QIdvZXEGh+LbO7Wf5hxvL4m2HgYe2eaVcpIHbqD9UsxkKDcD/+Xcy4W2LpyS qqURm+DwGkPCsK7E0dkMwZoydFjlSPmmkdg5lg+KVPL+ZyhknL7uZ4zpWvuL84+Q0nMR NOcnMibpwT/gYcPIJj4CSJNUIFOytAAERwjdMfVKc4gHUdNV+vrXe4vGxhuCV1WSO8Oa wSFKiRUjXrYVGba1ai/Qxz5BOVlobS9O934BBzxmOD66ak8X+QAn+qGiKrj4c1bnGrVP HZK6GXuZsoKcBhiQZId8noocOlfSvsRiS74kEoXIPC/DKr4vZebohNgV5o/GovOYA/qS taEw== X-Gm-Message-State: AOJu0YyzWbH0/OMikvSGGs8zDUomAhl6AqTLJZg8RZQirRaTgs1NNwzg DDqou/QdgQXHKpQCZ8rArBLQFwX9uKjGemUSbxYQM+6oSrgUzFEQpfn09jxEIv5PfeDjVa8OrVM pIWvD/Xxun21unmst0z96HVONOhElpBvk X-Gm-Gg: ASbGnctB6i/nH4+DUMkofyZyETPPQtMwvulIvmAWBaUuell2wp18kTSls99FAHVdGhk 4sa1oV4TPxFpmdcfPJYXkO5TXk3hg5r5QBpNS62SaW94mR2Qb6C1UVG4QlfUHSTUGofRseRCP1M 4= X-Received: by 2002:a2e:9c8d:0:b0:306:10d6:28ab with SMTP id 38308e7fff4ca-30a5985e2a2mr1266051fa.5.1740080916789; Thu, 20 Feb 2025 11:48:36 -0800 (PST) MIME-Version: 1.0 From: Rafael Gava Date: Thu, 20 Feb 2025 16:48:27 -0300 X-Gm-Features: AWEUYZkWHaG5q8VYwxmqjHcMEAgFvu2IdU_1D1G4ROCMz1kaNyd97wheLaEOGRs Message-ID: To: openvpn-devel X-Spam-Score: 0.1 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Dear OpenVPN Community, I am submitting this patch to introduce a 'localhost' token to the `client-nat` network option, allowing OpenVPN clients to dynamically use the IP address provided by the server. This enhancement is p [...] Content analysis details: (0.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.177 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.177 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [gava100[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [gava100[at]gmail.com] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.177 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.177 listed in list.dnswl.org] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1tlCXM-0004nm-3B Subject: [Openvpn-devel] [PATCH] Add 'localhost' token to client-nat network option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1824607102543827808?= X-GMAIL-MSGID: =?utf-8?q?1824607102543827808?= Dear OpenVPN Community, I am submitting this patch to introduce a 'localhost' token to the `client-nat` network option, allowing OpenVPN clients to dynamically use the IP address provided by the server. This enhancement is particularly useful in scenarios where OpenVPN is deployed as a VPN gateway bridging a local network and a VPN tunnel. Currently, the `client-nat` option requires a static client IP, which limits its flexibility when dealing with dynamically assigned IP addresses. By introducing a 'localhost' token, OpenVPN can automatically substitute it with the current client-assigned IP address, streamlining network configurations in dynamic environments. Example: client-nat snat localhost 255.255.255.255 172.19.80.17 I believe this feature will be beneficial for many OpenVPN users, improving automation and simplifying VPN gateway configurations. Please find the patch inline for review and feedback. Best regards, Rafael Gava ---- From fbc7045d652b5f11e2aa043aa2af9ca14f36b604 Mon Sep 17 00:00:00 2001 From: Rafael Gava Date: Thu, 20 Feb 2025 19:19:39 +0000 Subject: [PATCH] Added the localhost token to the client-nat network option, enabling the application to dynamically use the client IP provided by the server. Signed-off-by: Rafael Gava --- src/openvpn/clinat.c | 47 +++++++++++++++++++++++++++++++++++++++---- src/openvpn/clinat.h | 3 +++ src/openvpn/init.c | 2 ++ src/openvpn/options.c | 1 + 4 files changed, 49 insertions(+), 4 deletions(-) "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c index 2d3b359f..1c79b20d 100644 --- a/src/openvpn/clinat.c +++ b/src/openvpn/clinat.c @@ -127,12 +127,19 @@ add_client_nat_to_option_list(struct client_nat_option_list *dest, return; } - e.network = getaddr(0, network, 0, &ok, NULL); - if (!ok) + if (network && !strcmp(network, "localhost")) { - msg(msglevel, "client-nat: bad network: %s", network); - return; + msg (M_INFO, "*** client-nat localhost detected..."); + e.network = 0xFFFFFFFF; + } else { + e.network = getaddr(0, network, 0, &ok, NULL); + if (!ok) + { + msg(msglevel, "client-nat: bad network: %s", network); + return; + } } + e.netmask = getaddr(0, netmask, 0, &ok, NULL); if (!ok) { @@ -274,3 +281,35 @@ client_nat_transform(const struct client_nat_option_list *list, } } } + +/* +* Replaces the localhost token with the IP received from OpenVPN +*/ +bool +update_localhost_nat(struct client_nat_option_list *dest, in_addr_t local_ip) +{ + int i; + bool ret = false; + + if (!dest) { + return ret; + } + + for (i=0; i <= dest->n; i++) + { + struct client_nat_entry *nat_entry = &dest->entries[i]; + if (nat_entry && nat_entry->network == 0xFFFFFFFF) + { + struct in_addr addr; + + nat_entry->network = ntohl(local_ip); + addr.s_addr = nat_entry->network; + char *dot_ip = inet_ntoa(addr); + + msg (M_INFO, "CNAT - Updating NAT table from localhost to: %s", dot_ip); + ret = true; + } + } + + return ret; +} diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h index 94141f51..06afa3b4 100644 --- a/src/openvpn/clinat.h +++ b/src/openvpn/clinat.h @@ -64,4 +64,7 @@ void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction); +bool update_localhost_nat(struct client_nat_option_list *dest, in_addr_t local_ip); + + #endif /* if !defined(CLINAT_H) */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b57e5f8a..dadc10dc 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2052,6 +2052,8 @@ do_open_tun(struct context *c, int *error_flags) *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS); } + update_localhost_nat(c->options.client_nat, c->c1.tuntap->local); + ret = true; static_context = c; } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6b2dfa58..f7161931 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -254,6 +254,7 @@ static const char usage_message[] = " (Server) Instead of forwarding IPv6 packets send\n" " ICMPv6 host unreachable packets to the client.\n" "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" + " set the network to 'localhost' to use the client ip received from the server.\n" "--push-peer-info : (client only) push client info to server.\n"