1. 04 Jul, 2019 1 commit
    • Killian Lufau's avatar
      demo: test HMAC initialization · 668dbc0d
      Killian Lufau authored
      Disabling the creation of a HMAC key when setting up a new network
      allows to test that introduction of HMAC on a HMAC-less network works.
      668dbc0d
  2. 02 Jul, 2019 1 commit
  3. 27 Jun, 2019 1 commit
    • Killian Lufau's avatar
      demo: add another re6st network · d868f09a
      Killian Lufau authored
      The purpose is to check that HMAC prevents routes from being exchanged
      between the 2 networks. This happened when 2 nodes of 2 different re6st
      networks are in the same LAN, and it caused many issues.
      
      /reviewed-on nexedi/re6stnet!15
      d868f09a
  4. 26 Jun, 2019 1 commit
  5. 19 Jun, 2019 1 commit
    • Killian Lufau's avatar
      Implement HMAC for babel · 12ba2ee4
      Killian Lufau authored
      HMAC is added in babel call to prevent babel communication between nodes of different re6st networks. 
      This solves the problem of machines in different re6st networks but on the same LAN that exchange routes through babel. 
      The key used to authenticate packets is randomly created on 16 bytes by the registry and sent to nodes when they fetch network parameters. 
      This uses the WIP hmac branch of jech/babeld with Nexedi patches and the added possibility to not check HMAC in incoming packets for better HMAC integration on a HMAC-less network.
      
      /reviewed-on nexedi/re6stnet!18
      12ba2ee4
  6. 18 Jun, 2019 1 commit
    • Killian Lufau's avatar
      Fix attribute deletion when updating config · 63b5c4c2
      Killian Lufau authored
      The received network parameter name can have a ':json' suffix that
      is not present in the class attribute of this parameter.
      This suffix was not removed and could cause attribute deletion to fail.
      
      /reviewed-on !20
      63b5c4c2
  7. 12 Jun, 2019 1 commit
  8. 04 Jun, 2019 1 commit
  9. 15 May, 2019 2 commits
    • Killian Lufau's avatar
      demo: add testing of UDP · b5b52dc8
      Killian Lufau authored
      /reviewed-on !11
      b5b52dc8
    • Killian Lufau's avatar
      Fix --disable-proto · 120fff13
      Killian Lufau authored
      argparse is error-prone in that `action='append'` starts from (a copy of) the
      given default when it adds values from command-line, rather than restarting
      from an empty list. For example, simply passing `--disable-proto udp` resulted
      in ['udp', 'udp6', 'udp'], which caused 'udp6' to remain disabled.
      
      /reviewed-on !17
      120fff13
  10. 09 May, 2019 1 commit
    • Killian Lufau's avatar
      OpenVPN 2.4.7 workaround to revert to previous MTU settings · d398aa93
      Killian Lufau authored
      In commit 06974788,
      we increased the --link-mtu value as a temporary way to compensate the
      unexplained behaviour change of recent OpenVPN.
      
      This was partly due to encryption, which was enabled despite
      `--cipher none`. And it happens that the behaviour of --link-mtu only
      changed for the server, with a mysterious difference of 93 bytes.
      
      Hence the workaround to get identical tunnel MTU on both sides.
      
      /reviewed-on !13
      d398aa93
  11. 06 May, 2019 1 commit
    • Killian Lufau's avatar
      Remove old fix in ovpn-client · 24fea8cd
      Killian Lufau authored
      The fix to mark an interface as "up" and indicate its MTU was
      useful for machines with a single client, because OpenVPN would fail
      to configure them this way in OpenVPN 2.3. It has been fixed in 2.4
      so the fix has been removed.
      
      /reviewed-on !14
      24fea8cd
  12. 03 May, 2019 1 commit
    • Killian Lufau's avatar
      Fix deactivation of encryption with recent OpenVPN · 114a1763
      Killian Lufau authored
      Passing `--cipher none` to OpenVPN is not enough anymore because
      clients and servers can still negotiate the algorithm to use for
      encryption (by default not empty). We pass the option `--ncp-disable`
      to disable cipher negotiation.
      
      /reviewed-on !12
      114a1763
  13. 29 Apr, 2019 1 commit
    • Killian Lufau's avatar
      Switch to OpenVPN 2.4 · 06974788
      Killian Lufau authored
      The behaviour of --link-mtu has changed and we increase the values to
      at least have interface MTU greater than IPv6 minimum.
      We'll see later to have even greater values in ovpn_link_mtu_dict
      (so that the resulting MTU is closer to what we had with 2.3)
      or review the whole MTU part completely.
      06974788
  14. 10 Apr, 2019 1 commit
  15. 12 Mar, 2019 1 commit
  16. 21 Feb, 2019 1 commit
  17. 05 Feb, 2019 1 commit
  18. 14 Dec, 2018 1 commit
    • Jérome Perrin's avatar
      x509: gracefully handle ENOMEM when running openssl · 2b0d5043
      Jérome Perrin authored
      prevent this kind of errors when running openssl fail:
      
      ```
      10-12-2018 19:04:02 ERROR     AttributeError: 'NoneType' object has no attribute 'splitlines'
      Traceback (most recent call last):
        File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/cli/node.py", line 428, in main
          s(*args)
        File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/utils.py", line 191, in select
          R[r]()
        File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/tunnel.py", line 399, in handlePeerEvent
          True, crypto.FILETYPE_ASN1)
        File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/x509.py", line 136, in loadVerify
          for x in err.splitlines():
      ```
      
      /reviewed-on nexedi/re6stnet!6
      2b0d5043
  19. 17 Oct, 2018 2 commits
  20. 02 Oct, 2018 1 commit
  21. 25 Sep, 2018 2 commits
  22. 30 Aug, 2018 3 commits
  23. 09 Aug, 2018 1 commit
  24. 07 Aug, 2018 1 commit
    • Julien Muchembled's avatar
      Log signals that are sent to kill subprocesses and increase default log level · 9e6ece7a
      Julien Muchembled authored
      We currently have issues with OpenVPN hook scripts that aren't always killed
      at exit. Such orphan processes prevent re6st from starting again (EADDRINUSE).
      
      We want to know if it's an OpenVPN that does not exit cleanly on TERM,
      or if it sometimes does not exit at all after 5s (then re6st sends a KILL
      signal and at that point we should indeed make sure that any subprocess is
      also KILLed).
      9e6ece7a
  25. 01 Aug, 2018 3 commits
    • Julien Muchembled's avatar
      29d7fc03
    • Julien Muchembled's avatar
      Update comments · 20f89677
      Julien Muchembled authored
      20f89677
    • Julien Muchembled's avatar
      Fix crash caused by buggy UPnP · 2938a7c6
      Julien Muchembled authored
      gaierror: [Errno -2] Name or service not known
      Traceback (most recent call last):
       File "re6st/cli/node.py", line 271, in main
         remote_gateway, config.disable_proto, config.neighbour)
       File "re6st/tunnel.py", line 663, in __init__
         cache, cert, address)
       File "re6st/tunnel.py", line 236, in __init__
         self._updateCountry(address)
       File "re6st/tunnel.py", line 643, in _updateCountry
         family, ip = resolve(*address)
       File "re6st/tunnel.py", line 30, in resolve
         for x in socket.getaddrinfo(ip, port, family, 0, proto))
      
      where ip is '-a'
      2938a7c6
  26. 03 Jul, 2018 1 commit
  27. 02 Jul, 2018 3 commits
  28. 29 Jun, 2018 1 commit
  29. 26 Jun, 2018 1 commit
  30. 01 Jun, 2018 1 commit
  31. 15 Mar, 2018 1 commit