OpenVPN 3 Linux v27 (Stable release)
The v27 release is a bug fix release with a few enhancements.
* FEATURE DEPRECATION: openvpn3-autoload
** THIS IS THE LAST RELEASE SHIPPING THIS UTILITY - MIGRATE NOW **
The openvpn3-autoload feature was deprecated already in the
v20 release. This feature will be removed in a coming stable
release.
The replacement is the openvpn3-session@.service systemd unit.
Please see the openvpn3-systemd man page [1] for more details.
If you depend on openvpn3-autoload today, please migrate ASAP
to the systemd approach.
[1] <https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-systemd.8.rst>
* Bugfix: Use dynamic naming schema for ovpn-dco interfaces
Prior releases would not be able to start an OpenVPN configuration
profile if the --dev argument used the device name while there
already existed a device with the same name. This has been resolved
and OpenVPN 3 Linux will now use a dynamic naming schema similar to
what non-DCO configurations use, appending a digit at the end of
the device name.
* Bugfix: Deny starting the same configuration more times in parallel
Prior releases would allow users to start more VPN sessions using
the same configuration profile. This could easily cause issues
where none of the VPN tunnels would work.
The OpenVPN 3 Session Manager will now block a user from starting
duplicated VPN sessions if it detects the configuration D-Bus path
is already used in a session the user owns.
The openvpn3-systemd unit helper has also been extended to check
the configuration profile name given via the systemd unit name.
* Bugfix: systemd-resolved integration has been refactored
When the OpenVPN 3 Network Configuration Service wanted to
configure the DNS resolver settings, it used a unique D-Bus
path to the virtual network device in the org.freedesktop.resolve1
service. Unfortunately, the systemd-resolved could be a bit slow
at creating and making these D-Bus objects available, which could
cause the OpenVPN session to not see the DNS settings in a timely
manner. In some cases, it could even completely fail and the
VPN session was running without the proper DNS resolver configured.
This release makes use of a different systemd-resolved D-Bus API
which is more responsive and available before the needed D-Bus
object has been created and made available. This results in DNS
resolver settings being configured with a much higher success rate
than earlier.
* Bugfix: Fix CreateVirtualInterface timeout errors
When starting a new VPN session, on some systems, especially when
under load, the OpenVPN 3 Backend VPN Client process could end up
not getting the new virtual interface created and the client
connection would fail.
In other scenarios, if the user would try to restart VPN sessions
too quickly - especially with ovpn-dco interfaces, it could also
trigger a similar behaviour and in some cases also result in a
deadlock in the OpenVPN 3 Network Configuration Service, making
it impossible to start new VPN sessions.
The whole logic related to the CreateVirtualInterface call chains
has been remodelled to be more much more robust and ensure the
order of creation and destruction of virtual interfaces are tighter
and clearer.
* Bugfix: Properly stop sessions which has been disconnected via --inactive
The OpenVPN 3 Backend Client process and the Session Manager was
lacking the logic to properly handle VPN sessions being automatically
disconnected when session was considered inactive, configured via
the --inactive option.
In prior releases, the related openvpn3-service-client process would
not stop and the OpenVPN 3 Session Manager would need to be
explicitly told to disconnect the session, even though it was
already stopped.
This has been improved and the openvpn3-service-client process will
now properly shutdown itself and the OpenVPN 3 Session Manager will
register that the session has been stopped and mark the session as
disconnected and closed.
* Bugfix: OpenVPN 3 Configuration Manager does not log persisted profiles
When the OpenVPN 3 Configuration Manager starts, it will load all
the persistent configuration profiles into memory. But due to an
incorrect log level handling internally, it would never respect the
log level value when starting up. This resulted in not logging all
the imported persistent configuration profiles.
* Bugfix: OpenVPN 3 Configuration Manager did not transfer ownership
When the net.openvpn.v3.configuration.TransferOwnership method was
called on a configuration profile path, it would not do the transfer
unless it was root who owned the profile. This meant that only
root could transfer profiles the root user imported and could not
do any other transfers after that point.
This release improves this by allowing root to always be able
to transfer the ownership of any configuration profile paths
to all users, regardless of who owns the profile.
* Bugfix: Avoid a file descriptor leak on tun interfaces
When the VPN session was restarted or reconnecting with a full
interface teardown, the openvpn3-service-client process would
leak a file descriptor, which could end up in a crash if this
happened too often. It could also block the other openvpn3
background service processes from operating as well in some
cases.
* Bugfix: System logs shows g_variant_new_object_path assertion errors
When starting a new VPN session, this error would be found in the
system logs (syslog, journald):
g_variant_new_object_path: assertion 'g_variant_is_object_path (object_path)' failed
This has been fixed by avoiding replying with an invalid D-Bus path
before the information with this path would be available.
* Enhancement: Log the process ID (pid) of the log event sender
When the systemd-journald is configured to do the system logging,
all log events have the _PID value of the openvpn3-service-log
process. This release adds an O3_SENDER_PID meta data field
in the systemd-journal, representing the process ID of the process
sending the log event.
This is handy when there are system logs indicating issues
with a process but only indicating the PID value. The
'openvpn3-admin journal' command has been extended with a --pid
argument to filter only log events from this process ID. Or
the same can be done via 'journalctl O3_SENDER_PID=1234'.
* Enhancement: Add openvpn3-desktop-session-watcher
This is a simple stand-alone utility for graphical desktop
environments. It will issue a desktop notification when new VPN
sessions are started or the running status of the session changes.
If the VPN session requires web-based authentication, the
notification will also include the URL for the authentication which
the user can click on to start the user authentication process.
There is also a systemd unit file provided with this tool, to be
used by the end-user. See the openvpn3-desktop-session-watcher(1)
man page for details how to enable this feature at login.
* Deprecated command removed: openvpn3 config-show
This has bee an alias for openvpn3 config-dump since the v17_beta
release.
* OpenVPN 3 Core Library update
The OpenVPN 3 Core Library has been updated to version 3.11.6
providing a fix for the ovpn-dco interface name resolution when
there is a name conflict.
Known issues:
- The openvpn3-service-netcfg service does not differentiate between
--dns server X resolve-domains and --dns search-domains when using
the --resolv-conf mode, which is not as this feature is
intended to work. This was discovered in the v24 release and is
on the schedule to be fixed in the next releases. When this gets
fixed, only --dns search-domains will be considered as search
domains and --dns server X resolve-domains will enable split-DNS
when using --systemd-resolved and otherwise ignored when using
--resolv-conf with openvpn3-service-netcfg.
- There is a file descriptor leak with ovpn-dco interfaces when VPN
session are restarted or a reconnect with a full interface
teardown is needed. This is noticeable in environments with
unstable connections to the VPN server. The current workaround
is to not use DCO interfaces if this is an issue.
---- Changes from v26 to v27 ---------------------------------------
David Sommerseth (89):
deprecation: Remove openvpn3 config-show
spelling: Fix a few minor misspellings of OpenVPN
netcfg: Add missing throw keyword for exceptions
netcfg: NetCfgOptions::str() should be a const method
configmgr: Fix failing TransferOwnership() D-Bus method
configmgr: Set the log level earlier in the program startup
configmgr: Improve logging of imported persistent configuration profiles
configmgr: Improve logging when configuration profile changes owner
coverity: Remove std::move() where not needed
coverity: Add missing initialization
coverity: Fix "dead code" findings
configmgr: Report errors when failing to delete profile file
log/journal: Catch date/timestamp parsing errors
netcfg/device: Use the object variable not ctor variable
netcfg: Remove pointless check for logservice in main function
sessionmgr: Catch exception in Session::GetDeviceName()
tests: Ensure request-queue test iterations do not overflow
sessionmgr: Improve exception handling in main()
ovpn3cli/session: Improve session_start() helper sigaction implementation
coverity: Use std::move() on quite some objects
coverity: Fix incorrect std::string::find() usage
log: Catch all exceptions in openvpn3-service-log main()
client: Pass openvpn::ClientAPI::Config object as a ref to worker thread
configmgr/proxy: Pass DBus::Object::Path as const refs
common/requiresqueue: Refactor argument passing - const ref std::string
code cleanup: Use std::vector::emplace_back()
code cleanup: Remove const from function returns
code cleanup: Pass string objects as const ref
code cleanup: Remove const flag from function arguments
client: Use DBus::Object::Path for variables containing a D-Bus path
client: Remove not needed virtual declaration on an override
events: Remove const arugment declaraions in methods
distro/systemd: Rework error handling in OpenVPN3systemd.__request_handler()
distro/systemd: Add a failsafe starting the same configuration more times
events/status: Refactor Events::Status::PrintMode handling
client: Refactor DBus::Connection::Ptr passing
dbus/path: Code cleanup in generate_path_uuid()
client: Improve arg/env buffer allocation logic
common: Fix typ0 in terminal type detection
distro/systemd: Make the status reporting prettier
vendor: Upgrade to ASIO 1.36.0
netcfg: Make the Cleanup() D-Bus method call async
netcfg: Catch errors better when calling GetUID, GetPID and GetSubscriptionOwner
netcfg: Improve error handling in the Destroy() D-Bus method
netcfg/resolved: Pass if_index into resolved::Link object
netcfg/resolved: Refactor all log/debug functions to use fmt::format()
netcfg/resolved: Extend Link::BackgroundCall() with error callback
netcfg/resolved: Add missing lock_guard mutex in Link::Storage::NumErrors()
netcfg/resolved: Switch SetDefaultRoute() to use SetLinkDefaultRoute() D-Bus method
netcfg/resolved: Add Link::WaitForBackgroundTasks() method
netcfg/resolved: Rework background_call_data implementation
netcfg/resolved: Simplify the AsioWorkerClass implementation
dbus: Add GDBus++ support function - LookupObject()
dbus: Replace CheckObjectExists() with LookupObject()
netcfg/dco: Replace ASIO worker/io_context implementation
netcfg/proxy: Replace g_variant_new() with glib2::Builder
netcfg/device: Make the CreateVirtualInterface() call more robust
netcfg/proxy: Make Manager::getVirtualInterface() return std::shared_ptr
client: Add more debug info in NetCfgTunBuilder::tun_builder_teardown()
netcfg/dco: Refactor the DCO device teardown
log/journald: Add O3_SENDER_PID as log event meta data
ovpn3cli/journal: Add --pid argument to openvpn3-admin journal
docs: Remove outdated information from openvpn3-admin-journal man page
netcfg: Don't attach logging for net.openvpn.v3.netcfg.core
ovpn3cli: Mark "object not found" errors as ExitReason::ABORTED in query_user_input()
sessionmgr: Extend SessionManager::Session with GetConfigPath()
sessionmgr: Block starting duplicated sessions
ovpn3cli/session proxy: Improve error messages sent to the command line user
common/utils: Slight refactoring of version retrival functions
common/utils: Move Doxygen comment for set_console_echo()
tests: Remove log-listener2 test program
netcfg/resolved: std::move() a arguments which can benefit from it
client: Catch DBus::Exception as well in ~NetCfgTunBuilder()
client: Log the D-Bus path to the NetCfg object on device creation
netcfg/proxy: Fix incorrect DCO::SwapKeys() D-Bus argument
client: Plug a file descriptor leak with virtual tun interfaces
python: Add openvpn3-desktop-session-watcher
tests/python: Add a simple example script for watching log/status changes
configmgr: Add possibility for root to override Configuration::CheckACL() check
configmgr: Grant root access to TransferOwnership regardless of the configuraiton profile ACL
core: Update to OpenVPN 3 Core Library v3.11.6
client: device_path property cannot be empty
client: Check if client thread is joinable when disconnecting
client: Use std::make_shared() when creating CoreVPNClient
client: Properly assign main loop to signals in BackendClientObject
client: Properly signal connection is done in inactivity timeout
dbus/signals: Add callback hook to Signals::StatusChange
events/status: Extend Status::Check() to also check multiple StatusMinor codes
sessionmgr: Act upon StatusChange signals from backend client
--------------------------------------------------------------------