Update OpenVPN 3.x core and implement logic to support --dns

schwabe · Feb 5, 2025 · 7afc932 · 7afc932
1 parent 68068ea
commit 7afc932
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 27 deletions.
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt
@@ -63,6 +63,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
             openvpn3/client/ovpncli.cpp
             openvpn3/openvpn/openssl/xkey/xkey_provider.c
             openvpn3/openvpn/openssl/xkey/xkey_helper.c
+            openvpn3/openvpn/crypto/data_epoch.cpp
             ovpncli_wrap.cxx)
 
     add_library(ovpn3 SHARED ${ovpn3_SRCS})

diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -100,7 +100,7 @@ static class TunConfig {
         private final Vector<String> mDnslist = new Vector<>();
         private final NetworkSpace mRoutes = new NetworkSpace();
         private final NetworkSpace mRoutesv6 = new NetworkSpace();
-        private String mDomain = null;
+        private Vector<String> mSearchDomainList = new Vector<>();
         private CIDRIP mLocalIP = null;
         private int mMtu;
         private String mLocalIPv6 = null;
@@ -839,7 +839,7 @@ private static String getTunConfigString(TunConfig tc) {
         cfg += "routes: " + TextUtils.join("|", tc.mRoutes.getNetworks(true)) + TextUtils.join("|", tc.mRoutesv6.getNetworks(true));
         cfg += "excl. routes:" + TextUtils.join("|", tc.mRoutes.getNetworks(false)) + TextUtils.join("|", tc.mRoutesv6.getNetworks(false));
         cfg += "dns: " + TextUtils.join("|", tc.mDnslist);
-        cfg += "domain: " + tc.mDomain;
+        cfg += "domain: " + TextUtils.join("|", tc.mSearchDomainList);
         cfg += "mtu: " + tc.mMtu;
         cfg += "proxyInfo: " + tc.mProxyInfo;
         return cfg;
@@ -946,8 +946,8 @@ private ParcelFileDescriptor openTun(TunConfig tc) {
         }
 
 
-        if (tc.mDomain != null)
-            builder.addSearchDomain(tc.mDomain);
+        for (String domain: tc.mSearchDomainList)
+            builder.addSearchDomain(domain);
 
         String ipv4info;
         String ipv6info;
@@ -976,7 +976,7 @@ private ParcelFileDescriptor openTun(TunConfig tc) {
         }
 
         VpnStatus.logInfo(R.string.local_ip_info, ipv4info, ipv4len, ipv6info, tc.mMtu);
-        VpnStatus.logInfo(R.string.dns_server_info, TextUtils.join(", ", tc.mDnslist), tc.mDomain);
+        VpnStatus.logInfo(R.string.dns_server_info, TextUtils.join(", ", tc.mDnslist), tc.mSearchDomainList);
         VpnStatus.logInfo(R.string.routes_info_incl, TextUtils.join(", ", tc.mRoutes.getNetworks(true)), TextUtils.join(", ", tc.mRoutesv6.getNetworks(true)));
         VpnStatus.logInfo(R.string.routes_info_excl, TextUtils.join(", ", tc.mRoutes.getNetworks(false)), TextUtils.join(", ", tc.mRoutesv6.getNetworks(false)));
         if (tc.mProxyInfo != null) {
@@ -1181,10 +1181,17 @@ public void addDNS(String dns) {
         tunConfig.mDnslist.add(dns);
     }
 
-    public void setDomain(String domain) {
-        if (tunConfig.mDomain == null) {
-            tunConfig.mDomain = domain;
+    public void addDNS(String dns, int port) {
+        if (port != 0 && port != 53)
+        {
+            VpnStatus.logInfo(R.string.dnsserver_ignore_port, port, dns);
         }
+        tunConfig.mDnslist.add(dns);
+    }
+
+
+    public void addSearchDomain(String domain) {
+        tunConfig.mSearchDomainList.add(domain);
     }
 
     /**

diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
@@ -10,11 +10,10 @@
 import android.net.LocalServerSocket;
 import android.net.LocalSocket;
 import android.net.LocalSocketAddress;
-import android.os.Build;
 import android.os.Handler;
 import android.os.ParcelFileDescriptor;
 import androidx.annotation.NonNull;
-import androidx.annotation.RequiresApi;
+
 import android.system.Os;
 import android.util.Log;
 import de.blinkt.openvpn.R;
@@ -548,7 +547,7 @@ private void processNeedCommand(String argument) {
                 mOpenVPNService.addDNS(extra);
                 break;
             case "DNSDOMAIN":
-                mOpenVPNService.setDomain(extra);
+                mOpenVPNService.addSearchDomain(extra);
                 break;
             case "ROUTE": {
                 String[] routeparts = extra.split(" ");

diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
@@ -512,4 +512,10 @@
     <string name="missing_vpn_permission_log">VPN Service is missing permission to connect a VPN. Requesting permission via notification.</string>
     <string name="ignore_vpn_start_request">VPN already running (%s). Ignoring request to start VPN.</string>
     <string name="name_of_the_vpn_profile">Name of the VPN Profile</string>
+    <string name="dnsserver_ignore_port">Note ignoring port %1$d for DNS server with address %2$s"</string>
+    <string name="dnsserver_ignore_dnnsec">Skipping DNS server entry %1$d as it requires DNSSEC: %2$s</string>
+    <string name="dnsserver_ignore_tls_doh"> Skipping DNS server entry %1$d as it requires DNS over TLS or DNS over HTTPS: %2$s</string>
+    <string name="dnsserver_ignore_dnsport">Skipping address %1$s:%2$d for DNS server entry %1$d as uses a non-default port: %2$s</string>
+    <string name="dnsserver_no_valid_server">No valid DNS server left. Terminating connection.</string>
+
 </resources>
diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -1,12 +1,8 @@
 package de.blinkt.openvpn.core;
 
-import android.annotation.SuppressLint;
 import android.content.Context;
 import android.os.Handler;
 import android.os.HandlerThread;
-import android.os.Looper;
-import android.os.Message;
-import android.provider.Settings;
 import android.text.TextUtils;
 
 import net.openvpn.ovpn3.ClientAPI_Config;
@@ -20,16 +16,22 @@
 import net.openvpn.ovpn3.ClientAPI_ProvideCreds;
 import net.openvpn.ovpn3.ClientAPI_Status;
 import net.openvpn.ovpn3.ClientAPI_TransportStats;
+import net.openvpn.ovpn3.DnsAddress;
+import net.openvpn.ovpn3.DnsDomain;
+import net.openvpn.ovpn3.DnsOptions;
+import net.openvpn.ovpn3.DnsOptions_ServersMap;
+import net.openvpn.ovpn3.DnsServer;
 
 import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
 
 import de.blinkt.openvpn.R;
 import de.blinkt.openvpn.VpnProfile;
 
 import static de.blinkt.openvpn.VpnProfile.AUTH_RETRY_NOINTERACT;
 
-import androidx.annotation.NonNull;
-
 public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable, OpenVPNManagement {
     final static long EmulateExcludeRoutes = (1 << 16);
 
@@ -84,10 +86,56 @@ public boolean tun_builder_set_mtu(int mtu) {
         return true;
     }
 
+
     @Override
-    public boolean tun_builder_add_dns_server(String address, boolean ipv6) {
-        mService.addDNS(address);
-        return true;
+    public boolean tun_builder_set_dns_options(DnsOptions dns)
+    {
+        boolean dnsadded = false;
+        for(DnsDomain domain:dns.getSearch_domains()) {
+            mService.addSearchDomain(domain.getDomain());
+        }
+
+        /* sort dns server if the provided map is not sorted */
+        TreeMap<Integer, DnsServer> sortedDNSServers = new TreeMap<>(dns.getServers());
+
+        for (Map.Entry<Integer, DnsServer> dnsServerEntry: sortedDNSServers.entrySet() ) {
+            DnsServer server = dnsServerEntry.getValue();
+            int prio = dnsServerEntry.getKey();
+
+            if (DnsServer.Security.Yes.equals(server.getDnssec()))
+            {
+                VpnStatus.logInfo(R.string.dnsserver_ignore_dnnsec, prio, server.to_string().trim());
+                continue;
+            }
+
+            if (!DnsServer.Transport.Plain.equals(server.getTransport()) &&
+                    !DnsServer.Transport.Unset.equals(server.getTransport()))
+            {
+                VpnStatus.logInfo(R.string.dnsserver_ignore_tls_doh, prio, server.to_string().trim());
+                continue;
+            }
+
+            for(DnsAddress address: server.getAddresses())
+            {
+                if (address.getPort() == 0 || address.getPort() == 53) {
+                    mService.addDNS(address.getAddress());
+                    dnsadded = true;
+                }
+                else
+                {
+                    VpnStatus.logInfo(R.string.dnsserver_ignore_dnsport,
+                            address.getAddress(), address.getPort(), prio, server.to_string().trim());
+                }
+            }
+            /* We apply only the first DNS priority that works for us, so skip the rest after
+            * applying one */
+            if (dnsadded)
+                return true;
+
+        }
+        VpnStatus.logError(R.string.dnsserver_no_valid_server);
+        stopVPN(false);
+        return false;
     }
 
     @Override
@@ -113,12 +161,6 @@ public boolean tun_builder_exclude_route(String address, int prefix_length, int
         return true;
     }
 
-    @Override
-    public boolean tun_builder_add_search_domain(String domain) {
-        mService.setDomain(domain);
-        return true;
-    }
-
     @Override
     public boolean tun_builder_set_proxy_http(String host, int port)
     {