| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Global config options, which allow to set the urls (IPv4 and IPv6
respectively) used during the online status check.
Default values are http://ipv4.connman.net/online/status.html and
http://ipv6.connman.net/online/status.html respectively.
|
|
|
|
|
| |
The ConnMan project moved to oftc recently. Add the IRC contact
information.
|
| |
|
|
|
|
|
|
| |
ConnMan is hosted on lists.linux.dev from now on. Update the entry and
also explain how to subscribe. While at it also mention the official
archive.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Co-authored-by: Matt Vogt <matthew.vogt@jollamobile.com>
Co-authored-by: Slava Monich <slava.monich@jolla.com>
This OpenVPN plugin rewrite contains numerous amount of fixes. Most
importantly VPN agent is used to query credentials as well as the
password for the encrypted private key.
VPN agent support is done utilizing the management interface of OpenVPN.
The management interface is opened at each connection attempt to get
the potential requests for credentials, or encrypted private key
password. OpenVPN process is started with the stored information and if
there is some credential missing it will be queried via management
interface.
Each credential failure increases the authentication failed error
counter in vpn-provider.c but does not indicate it as an error to be
signaled. This is because the authentication failures are handled within
the plugin->openvpn process and the openvpn process does not die in
between. In case the credentials or the private key password is wrong
OpenVPN requests them again via management channel. If the error would
be signaled, connmand would have wrong indication of what is actually
happening and would attempt to disconnect the VPN in question.
The new VPN agent functionality is utilized to advise the VPN agent not
to store the encrypted private key password. Encrypted private key
password is kept in memory only, during the connman-vpnd lifetime. On
some systems VPN agents may store the credentials into files and, thus
it is imperative to not to save the encrypted private key password using
the VPN agent as it is bad practice to have both encrypted file and its
password stored on same storage space. Use of the
vpn_agent_append_keep_credentials() is also needed to indicate VPN agent
that the credentials should not be affected by the request to input
encrypted private key password. It may be that some VPN agents would
react to the storage and retrieval prevention values as the existing
values should be removed.
The private key password errors are not recorded as authentication
errors but are handled internally within the plugin. The rationale is
that since VPN agent is affected by the authentication errors and the
VpnAgent.AuthFailure is sent in such case, and VPN agent is advised not
to store the private key password, handling of the errors related to
private key password should happen within the plugin. If the private key
password stored in memory is wrong, it will be still attempted on first
try but OpenVPN will requests new one via management interface after a
failed attempt. The encrypted private key password failures are not
reported by OpenVPN (at least version <= 2.4.5) via management interface
and following patch is required in order for the failures to be
reported: https://git.sailfishos.org/mer-core/openvpn/blob/
4f4b4af116292a207416c8a990392e35a6fc41af/rpm/privatekey-passphrase-
handling.diff - a note about this is added to README.
Since the management channel unix socket is to be used by both vpnd and
the OpenVPN process the socket is created under system temp (env
TMPDIR). If env TMPDIR is omitted or empty, /tmp is used instead.
|
| |
|
|
|
|
|
|
| |
If '-r' option is used, do not use either dnsproxy or systemd-resolved
backend. Instead update /etc/resolv.conf and let applications do the
resolving.
|
| |
|
|
|
|
|
|
| |
Update doc to reflect the new EnableOnlineCheck configuration option
introduced with 4de35cde5a93271e785a3bb5a0f3d39aea34d77b
Correct typo.
|
|
|
|
|
|
| |
Add new info from connman.net server admin to README.
Mention the online check in the manual so that end users have a reference why the client
opens an external route.
|
|
|
|
|
| |
Warn users of GnuTLS about the behavior of gnutls_global_init() which
might block the loading of ConnMan.
|
|
|
|
|
| |
The plugin is disabled by default. The upstream project hasn't released
any version so far.
|
|
|
|
|
|
| |
The autoscan module in wpa_supplicant cannot handle hidden SSIDs, where
connman's autoscan policy does it properly so let's use this later one
only.
|
|
|
|
| |
Clarify how ConnMan does portal detection and online check in more detail.
|
|
|
|
| |
Document that iptables is needed for tethering.
|
|
|
|
|
|
|
|
| |
Move Linux Gadget, i.e. USB client, device support into a separate
plug-in instead of being combined with the Ethernet plug-in. Change
the prefix of several ethernet driver function names to be more
consistent with the underlying driver (e.g. cable_ -> eth_network_,
ethernet_ -> eth_dev_, eth_ -> eth_tech_).
|
| |
|
|
|
|
|
|
|
| |
Session networking code needs these kernel options to work.
CONFIG_NETFILTER_XT_CONNMARK
CONFIG_NETFILTER_XT_TARGET_CONNMARK
CONFIG_NETFILTER_XT_MATCH_CONNMARK
|
|
|
|
|
| |
This is very handy to debug timing related issues, especially when anohter
demon is involved, e.g. ofonod.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
The SELinux rules are needed for VPN. They allow various vpn
clients to send notifications to connman-vpnd via net.connman.Task
dbus interface if the connman processes are run under systemd
and the system is in enforcing mode.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
So it is under the "Configuration and options" section.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|