mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-11-27 03:33:55 +08:00
Persist-key: enable persist-key option by default
Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Trac: #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Message-Id: <20240307140355.32644-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
15b74036a9
commit
802fcce544
@ -20,6 +20,8 @@ NTLMv1 authentication support for HTTP proxies has been removed.
|
||||
When configured to authenticate with NTLMv1 (``ntlm`` keyword in
|
||||
``--http-proxy``) OpenVPN will try NTLMv2 instead.
|
||||
|
||||
``persist-key`` option has been enabled by default.
|
||||
All the keys will be kept in memory across restart.
|
||||
|
||||
Overview of changes in 2.6
|
||||
==========================
|
||||
|
@ -39,7 +39,6 @@ Here is an example of connection profile usage::
|
||||
http-proxy 192.168.0.8 8080
|
||||
</connection>
|
||||
|
||||
persist-key
|
||||
persist-tun
|
||||
pkcs12 client.p12
|
||||
remote-cert-tls server
|
||||
|
@ -302,17 +302,6 @@ which mode OpenVPN is configured as.
|
||||
Change process priority after initialization (``n`` greater than 0 is
|
||||
lower priority, ``n`` less than zero is higher priority).
|
||||
|
||||
--persist-key
|
||||
Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
|
||||
|
||||
This option can be combined with ``--user`` to allow restarts
|
||||
triggered by the :code:`SIGUSR1` signal. Normally if you drop root
|
||||
privileges in OpenVPN, the daemon cannot be restarted since it will now
|
||||
be unable to re-read protected key files.
|
||||
|
||||
This option solves the problem by persisting keys across :code:`SIGUSR1`
|
||||
resets, so they don't need to be re-read.
|
||||
|
||||
--providers providers
|
||||
Load the list of (OpenSSL) providers. This is mainly useful for using an
|
||||
external provider for key management like tpm2-openssl or to load the
|
||||
@ -402,7 +391,7 @@ which mode OpenVPN is configured as.
|
||||
|
||||
Like with chroot, complications can result when scripts or restarts are
|
||||
executed after the setcon operation, which is why you should really
|
||||
consider using the ``--persist-key`` and ``--persist-tun`` options.
|
||||
consider using the ``--persist-tun`` option.
|
||||
|
||||
--status args
|
||||
Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
|
||||
|
@ -283,7 +283,7 @@ the local and the remote host.
|
||||
See the signals section below for more information on :code:`SIGUSR1`.
|
||||
|
||||
Note that the behavior of ``SIGUSR1`` can be modified by the
|
||||
``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and
|
||||
``--persist-tun``, ``--persist-local-ip`` and
|
||||
``--persist-remote-ip`` options.
|
||||
|
||||
Also note that ``--ping-exit`` and ``--ping-restart`` are mutually
|
||||
|
@ -452,7 +452,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.
|
||||
``--route``, ``--route-gateway``, ``--route-delay``,
|
||||
``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,
|
||||
``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
|
||||
``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
|
||||
``--setenv``, ``--auth-token``, ``--persist-tun``,
|
||||
``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
|
||||
``--rcvbuf``, ``--session-timeout``
|
||||
|
||||
|
@ -10,9 +10,8 @@ SIGNALS
|
||||
Like :code:`SIGHUP``, except don't re-read configuration file, and
|
||||
possibly don't close and reopen TUN/TAP device, re-read key files,
|
||||
preserve local IP address/port, or preserve most recently authenticated
|
||||
remote IP address/port based on ``--persist-tun``, ``--persist-key``,
|
||||
``--persist-local-ip`` and ``--persist-remote-ip`` options respectively
|
||||
(see above).
|
||||
remote IP address/port based on ``--persist-tun``, ``--persist-local-ip``
|
||||
and ``--persist-remote-ip`` options respectively (see above).
|
||||
|
||||
This signal may also be internally generated by a timeout condition,
|
||||
governed by the ``--ping-restart`` option.
|
||||
|
@ -42,3 +42,6 @@ longer supported
|
||||
|
||||
--prng
|
||||
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
|
||||
|
||||
--persist-key
|
||||
Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
|
@ -62,7 +62,6 @@ nobind
|
||||
;group openvpn
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# If you are connecting through an
|
||||
|
@ -274,11 +274,10 @@ cipher AES-256-CBC
|
||||
;user openvpn
|
||||
;group openvpn
|
||||
|
||||
# The persist options will try to avoid
|
||||
# The persist option will try to avoid
|
||||
# accessing certain resources on restart
|
||||
# that may no longer be accessible because
|
||||
# of the privilege downgrade.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Output a short status file showing
|
||||
|
@ -89,7 +89,6 @@ secret key.txt
|
||||
; ping-restart 60
|
||||
; ping-timer-rem
|
||||
; persist-tun
|
||||
; persist-key
|
||||
; resolv-retry 86400
|
||||
|
||||
# keep-alive ping
|
||||
|
@ -3559,14 +3559,6 @@ do_option_warnings(struct context *c)
|
||||
{
|
||||
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
|
||||
}
|
||||
if (!o->persist_key
|
||||
#ifdef ENABLE_PKCS11
|
||||
&& !o->pkcs11_id
|
||||
#endif
|
||||
)
|
||||
{
|
||||
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
|
||||
}
|
||||
}
|
||||
|
||||
if (o->chroot_dir && !(o->username && o->groupname))
|
||||
@ -3857,7 +3849,7 @@ static void
|
||||
do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
|
||||
{
|
||||
/*
|
||||
* always free the tls_auth/crypt key. If persist_key is true, the key will
|
||||
* always free the tls_auth/crypt key. The key will
|
||||
* be reloaded from memory (pre-cached)
|
||||
*/
|
||||
free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
|
||||
@ -3866,7 +3858,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
|
||||
buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
|
||||
free_buf(&c->c1.ks.tls_crypt_v2_wkc);
|
||||
|
||||
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
|
||||
if (!(c->sig->signal_received == SIGUSR1))
|
||||
{
|
||||
key_schedule_free(&c->c1.ks, free_ssl_ctx);
|
||||
}
|
||||
|
@ -48,7 +48,7 @@
|
||||
|
||||
/*
|
||||
* Our global key schedules, packaged thusly
|
||||
* to facilitate --persist-key.
|
||||
* to facilitate key persistence.
|
||||
*/
|
||||
|
||||
struct key_schedule
|
||||
|
@ -273,7 +273,6 @@ static const char usage_message[] =
|
||||
"--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
|
||||
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
|
||||
"--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
|
||||
"--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
|
||||
#if PASSTOS_CAPABILITY
|
||||
"--passtos : TOS passthrough (applies to IPv4 only).\n"
|
||||
#endif
|
||||
@ -1857,7 +1856,6 @@ show_settings(const struct options *o)
|
||||
SHOW_BOOL(persist_tun);
|
||||
SHOW_BOOL(persist_local_ip);
|
||||
SHOW_BOOL(persist_remote_ip);
|
||||
SHOW_BOOL(persist_key);
|
||||
|
||||
#if PASSTOS_CAPABILITY
|
||||
SHOW_BOOL(passtos);
|
||||
@ -3240,18 +3238,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
|
||||
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
|
||||
}
|
||||
|
||||
/* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
|
||||
/* Pre-cache tls-auth/crypt(-v2) key file if
|
||||
* keys were not already embedded in the config file.
|
||||
*/
|
||||
if (o->persist_key)
|
||||
{
|
||||
connection_entry_preload_key(&ce->tls_auth_file,
|
||||
&ce->tls_auth_file_inline, &o->gc);
|
||||
connection_entry_preload_key(&ce->tls_crypt_file,
|
||||
&ce->tls_crypt_file_inline, &o->gc);
|
||||
connection_entry_preload_key(&ce->tls_crypt_v2_file,
|
||||
&ce->tls_crypt_v2_file_inline, &o->gc);
|
||||
}
|
||||
connection_entry_preload_key(&ce->tls_auth_file,
|
||||
&ce->tls_auth_file_inline, &o->gc);
|
||||
connection_entry_preload_key(&ce->tls_crypt_file,
|
||||
&ce->tls_crypt_file_inline, &o->gc);
|
||||
connection_entry_preload_key(&ce->tls_crypt_v2_file,
|
||||
&ce->tls_crypt_v2_file_inline, &o->gc);
|
||||
|
||||
|
||||
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
|
||||
{
|
||||
@ -6963,7 +6959,8 @@ add_option(struct options *options,
|
||||
else if (streq(p[0], "persist-key") && !p[1])
|
||||
{
|
||||
VERIFY_PERMISSION(OPT_P_PERSIST);
|
||||
options->persist_key = true;
|
||||
msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
|
||||
"Keys are now always persisted across restarts. ");
|
||||
}
|
||||
else if (streq(p[0], "persist-local-ip") && !p[1])
|
||||
{
|
||||
|
@ -344,7 +344,6 @@ struct options
|
||||
bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
|
||||
bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
|
||||
bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
|
||||
bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
|
||||
|
||||
#if PASSTOS_CAPABILITY
|
||||
bool passtos;
|
||||
|
Loading…
Reference in New Issue
Block a user