- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This modifies test-pass-script to force a DPD timeout to
verify whether ${IP_REMOTE} is set on the disconnect script.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This test verifies that the server will continue to operate
even if the up script will block indefinitely.
Resolves: #241
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
tests (radius-otp): add a check radcli version (atleast 1.2.7), since debian uses version
1.2.6, which does not support Access-Challenge server response.
tests: show debug messages only in VERBOSE mode
tests (radius-otp): replace test for option max_challenge to macro MAX_CHALLENGE
Signed-off-by: Alexey Dotsenko <lex@rwx.su>
This enables support for AES-256 for anyconnect clients which
do not support AES-GCM. Also prioritized the 256-bit ciphers
higher than the 128-bit ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That addresses the issue of not being able to run under systemd,
or under non-forking mode. Added test case to detect proper
operation.
Resolves#154
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This checks whether connecting to different virtual hosts
with different authentication methods works.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is the similar to the test case (test-pass-opt-cert) of pass or cert,
but in that case the certificate method is set as primary.
Relates #108
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That checks whether connecting to a locked account will have
unexpected effects (e.g., login allowed).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
