By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.
Signed-off-by: Florian Domain <f.domain@criteo.com>
- print outfile instead of new command; this will help debug when an
issue occurs, to know what was the original output
- also add some time between tests to avoid race; this was failing on
"could not find group information"
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(PSK)-(AES-256-GCM).
inet 192.168.93.190/32 scope global tun0
PING 192.168.93.1 (192.168.93.1) 56(84) bytes of data.
64 bytes from 192.168.93.1: icmp_seq=1 ttl=64 time=0.217 ms
64 bytes from 192.168.93.1: icmp_seq=2 ttl=64 time=0.246 ms
64 bytes from 192.168.93.1: icmp_seq=3 ttl=64 time=0.235 ms
--- 192.168.93.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2052ms
rtt min/avg/max/mdev = 0.217/0.232/0.246/0.011 ms
could not find group information
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
while using udp, we later open a file descriptor for the worker. With a
listen netns config, I overlooked this case which oblige me to move the
struct containing the file descriptor in the main one. Then I can access
them from each worker to make it possible to open the socket in the
correct netns. I also need to keep the netns fd open during the whole
life of the process.
the issue was not visible on a tcp-only case, but while using udp you
can see logs such as:
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
worker[user]: x.x.x.x setting up DTLS-PSK connection
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
update tests to reflects that:
- instead of creating our own netns, use the one created in common.sh
- we start server in ns1, but listen in ns2, and test client from ns3
(we don't want to listen in ns1 to test listen-ns)
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This ignores any items following the first group class attribute.
Resolves: #332
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Add support for gracefully stopping the server.
Add primer on using ocserv with L3 load balancer.
Resolves: #345
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
Now all tests configs are being auto-generated, so this variable
will be replaced.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This disables all the tests that use LD_PRELOAD, and thus limits
the test suite on the tests that are run as root.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
