- Add timeouts (15 seconds for HDLC; 30 seconds for non-HDLC) so we don't spin forever
- Always set 'nodefaultroute' and negotiate link-local IPv4 addresses
- Cleanup syntax
Signed-off-by: Daniel Lenski <email address hidden>
add ppp-over-tls tests (with pppd as the reference peer implementation)
These test OpenConnect's ability to communicate with the standard pppd using
PPP-over-TLS, with a variety of PPP negotiation options:
± IPv4
± IPv6
± DNS and NBNS server negotiation
± PPP header protocol/address field compression
± Van Jacobson header compression (always rejected by OpenConnect)
These tests use socat to create TLS socket pairs, connecting `openconnect
--protocol=nullppp` to one end and `pppd` to the other.
I tried and failed to combine socat and pppd invocations, but pppd seemingly
cannot handle being wrapped by libsocket_wrapper.so (nor libuid_wrapper.so;
it must run as root).
`pppd sync` (non-HDLC framing) appears to have trouble reacting to incoming
packets in this configuration, so OpenConnect has to invoke retry timers during
negotiation. This seems to be a bug in pppd, rather than a flaw in OpenConnect's
implementation of PPP. Added logging of the time that each run takes.
Signed-off-by: Daniel Lenski <email address hidden>
Connect OpenConnect to the TLS socket, and watch it negotiate LCP/IPCP/IP6CP with its peer, and reject CCP:
# Add noipv4,noipv6 to cookie to try those
./openconnect --protocol=nullppp --cookie hdlc --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dump localhost:5556
Signed-off-by: Daniel Lenski <email address hidden>
This started out as the 'f5' branch, which was then rebased (by DL) onto a
more recent master as 'ppp_rebased'.
This was then squashed down into a single commit, with all of the bits
depending on "real" PPP-based VPN protocols removed, so that only the shell
of generic PPP support remains, including PPP protocol negotation (LCP,
IPCP, IP6CP) and mainloop.
Almost all of this code was done by David Woodhouse and Daniel Lenski in
May 2020, with a few more recent bugfixes by DL in early February 2021.
The remaining shell supports two different encapsulations of PPP:
- PPP_ENCAP_RFC1661: Plain PPP. “Synchronous” in the ’90s-era language,
because the start and end of the frame are known from external means.
In modern instances, this is because they arrive in a complete packet with
a known length from its lower-level encapsulation. (TLS or DTLS records in
our expected use cases.)
This is what `pppd sync` does.
- PPP_ENCAP_RFC1662: “PPP in HDLC-like framing.”
This is what `pppd` without `sync` does.
The following commits will add tests to demonstrate the functionality of
OpenConnect's PPP implementation at the level of this generic encapsulation.
Signed-off-by: Daniel Lenski <email address hidden>
