@@ -41,7 +41,11 @@

 static char base64_chars[] = 

     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

-

+/*

+ * base64 encode input data of length size to malloced

+ * buffer which is returned as *str.  Returns string

+ * length of *str.

+ */

 int 

 base64_encode(const void *data, int size, char **str)

 {

@@ -115,7 +119,11 @@ token_decode(const char *token)

 	return DECODE_ERROR;

     return (marker << 24) | val;

 }

-

+/*

+ * Decode base64 str, outputting data to buffer

+ * at data of length size.  Return length of

+ * decoded data written or -1 on error or overflow.

+ */

 int

 base64_decode(const char *str, void *data, int size)

 {

@@ -1006,7 +1006,7 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)

   if (!c->options.passtos)

     flags &= ~PIPV4_PASSTOS;

 #endif

-  if (!c->options.route_gateway_via_dhcp || !route_list_default_gateway_needed (c->c1.route_list))

+  if (!c->options.route_gateway_via_dhcp || !route_list_vpn_gateway_needed (c->c1.route_list))

     flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;

   if (buf->len > 0)

@@ -1047,7 +1047,7 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)

 		{

 		  const in_addr_t dhcp_router = dhcp_extract_router_msg (&ipbuf);

 		  if (dhcp_router)

-		    route_list_add_default_gateway (c->c1.route_list, c->c2.es, dhcp_router);

+		    route_list_add_vpn_gateway (c->c1.route_list, c->c2.es, dhcp_router);

 		}

 	    }

 	}

@@ -199,6 +199,90 @@ management_callback_http_proxy_fallback_cmd (void *arg, const char *server, cons

 #endif

+#if MANAGEMENT_QUERY_REMOTE

+

+static bool

+management_callback_remote_cmd (void *arg, const char **p)

+{

+  struct context *c = (struct context *) arg;

+  struct connection_entry *ce = &c->options.ce;

+  int ret = false;

+  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)

+    {

+      int flags = 0;

+      if (!strcmp(p[1], "ACCEPT"))

+	{

+	  flags = CE_MAN_QUERY_REMOTE_ACCEPT;

+	  ret = true;

+	}

+      else if (!strcmp(p[1], "SKIP"))

+	{

+	  flags = CE_MAN_QUERY_REMOTE_SKIP;

+	  ret = true;

+	}

+      else if (!strcmp(p[1], "MOD") && p[2] && p[3])

+	{

+	  const int port = atoi(p[3]);

+	  if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port))

+	    {

+	      struct remote_host_store *rhs = c->options.rh_store;

+	      if (!rhs)

+		{

+		  ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc);

+		  c->options.rh_store = rhs;

+		}

+	      strncpynt(rhs->host, p[2], RH_HOST_LEN);

+	      ce->remote = rhs->host;

+	      ce->remote_port = port;

+	      flags = CE_MAN_QUERY_REMOTE_MOD;

+	      ret = true;

+	    }

+	}

+      if (ret)

+	{

+	  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);

+	  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);

+	}

+    }

+  return ret;

+}

+

+static bool

+ce_management_query_remote (struct context *c, const char *remote_ip_hint)

+{

+  struct gc_arena gc = gc_new ();

+  volatile struct connection_entry *ce = &c->options.ce;

+  int ret = true;

+  update_time();

+  if (management)

+    {

+      struct buffer out = alloc_buf_gc (256, &gc);

+      buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false));

+      management_notify_generic(management, BSTR (&out));

+      ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);

+      ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT);

+      while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)

+	{

+	  management_event_loop_n_seconds (management, 1);

+	  if (IS_SIG (c))

+	    {

+	      ret = false;

+	      break;

+	    }

+	}

+    }

+  {

+    const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);

+    if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint)

+      ce->remote = remote_ip_hint;

+    ret = (flags != CE_MAN_QUERY_REMOTE_SKIP);

+  }

+  gc_free (&gc);

+  return ret;

+}

+

+#endif

+

 /*

  * Initialize and possibly randomize connection list.

  */

@@ -313,6 +397,15 @@ next_connection_entry (struct context *c)

 	c->options.ce = *ce;

+#if MANAGEMENT_QUERY_REMOTE

+	if (ce_defined && management && management_query_remote_enabled(management))

+	  {

+	    /* allow management interface to override connection entry details */

+	    ce_defined = ce_management_query_remote(c, remote_ip_hint);

+	    if (IS_SIG (c))

+	      break;

+	  } else

+#endif

 	if (remote_ip_hint)

 	  c->options.ce.remote = remote_ip_hint;

@@ -343,7 +436,13 @@ init_query_passwords (struct context *c)

 #if P2MP

   /* Auth user/pass input */

   if (c->options.auth_user_pass_file)

-    auth_user_pass_setup (c->options.auth_user_pass_file);

+    {

+#ifdef ENABLE_CLIENT_CR

+      auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info);

+#else

+      auth_user_pass_setup (c->options.auth_user_pass_file, NULL);

+#endif

+    }

 #endif

 }

@@ -598,21 +697,9 @@ init_static (void)

 #ifdef TEST_GET_DEFAULT_GATEWAY

   {

-    struct gc_arena gc = gc_new ();

-    in_addr_t addr;

-    char macaddr[6];

-

-    if (get_default_gateway(&addr, NULL))

-      msg (M_INFO, "GW %s", print_in_addr_t(addr, 0, &gc));

-    else

-      msg (M_INFO, "GDG ERROR");

-

-    if (get_default_gateway_mac_addr(macaddr))

-      msg (M_INFO, "MAC %s", format_hex_ex (macaddr, 6, 0, 1, ":", &gc));

-    else

-      msg (M_INFO, "GDGMA ERROR");

-

-    gc_free (&gc);

+    struct route_gateway_info rgi;

+    get_default_gateway(&rgi);

+    print_default_gateway(M_INFO, &rgi);

     return false;

   }

 #endif

@@ -1241,7 +1328,7 @@ do_route (const struct options *options,

   if (!options->route_noexec && ( route_list || route_ipv6_list ) )

     {

       add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es);

-      setenv_int (es, "redirect_gateway", route_list->did_redirect_default_gateway);

+      setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list));

     }

 #ifdef ENABLE_MANAGEMENT

   if (management)

@@ -2154,6 +2241,10 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)

   to.x509_track = options->x509_track;

 #endif

+#ifdef ENABLE_CLIENT_CR

+  to.sci = &options->sc_info;

+#endif

+

   /* TLS handshake authentication (--tls-auth) */

   if (options->tls_auth_file)

     {

@@ -3046,6 +3137,9 @@ init_management_callback_p2p (struct context *c)

 #if HTTP_PROXY_FALLBACK

       cb.http_proxy_fallback_cmd = management_callback_http_proxy_fallback_cmd;

 #endif

+#if MANAGEMENT_QUERY_REMOTE

+      cb.remote_cmd = management_callback_remote_cmd;

+#endif

       management_set_callback (management, &cb);

     }

 #endif

@@ -86,6 +86,9 @@ man_help ()

   msg (M_CLIENT, "                         where action is reply string.");

   msg (M_CLIENT, "net                    : (Windows only) Show network info and routing table.");

   msg (M_CLIENT, "password type p        : Enter password p for a queried OpenVPN password.");

+#if MANAGEMENT_QUERY_REMOTE

+  msg (M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");

+#endif

   msg (M_CLIENT, "pid                    : Show process ID of the current OpenVPN process.");

 #ifdef ENABLE_PKCS11

   msg (M_CLIENT, "pkcs11-id-count        : Get number of available PKCS#11 identities.");

@@ -606,25 +609,19 @@ man_up_finalize (struct management *man)

 {

   switch (man->connection.up_query_mode)

     {

-    case UP_QUERY_DISABLED:

-      man->connection.up_query.defined = false;

-      break;

     case UP_QUERY_USER_PASS:

-      if (strlen (man->connection.up_query.username) && strlen (man->connection.up_query.password))

-	man->connection.up_query.defined = true;

-      break;

+      if (!strlen (man->connection.up_query.username))

+	break;

+      /* fall through */

     case UP_QUERY_PASS:

-      if (strlen (man->connection.up_query.password))

-	man->connection.up_query.defined = true;

-      break;

     case UP_QUERY_NEED_OK:

-      if (strlen (man->connection.up_query.password))

-	man->connection.up_query.defined = true;

-      break;

     case UP_QUERY_NEED_STR:

       if (strlen (man->connection.up_query.password))

 	man->connection.up_query.defined = true;

       break;

+    case UP_QUERY_DISABLED:

+      man->connection.up_query.defined = false;

+      break;

     default:

       ASSERT (0);

     }

@@ -665,16 +662,17 @@ man_query_user_pass (struct management *man,

 static void

 man_query_username (struct management *man, const char *type, const char *string)

 {

-  const bool needed = (man->connection.up_query_mode == UP_QUERY_USER_PASS && man->connection.up_query_type);

+  const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS

+			) && man->connection.up_query_type);

   man_query_user_pass (man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);

 }

 static void

 man_query_password (struct management *man, const char *type, const char *string)

 {

-  const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS

-			|| man->connection.up_query_mode == UP_QUERY_PASS)

-		       && man->connection.up_query_type);

+  const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS

+			|| man->connection.up_query_mode == UP_QUERY_USER_PASS

+			) && man->connection.up_query_type);

   if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */

     string = blank_up;

   man_query_user_pass (man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);

@@ -1090,6 +1088,31 @@ man_http_proxy_fallback (struct management *man, const char *server, const char

 #endif

+#if MANAGEMENT_QUERY_REMOTE

+

+static void

+man_remote (struct management *man, const char **p)

+{

+  if (man->persist.callback.remote_cmd)

+    {

+      const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);

+      if (status)

+	{

+	  msg (M_CLIENT, "SUCCESS: remote command succeeded");

+	}

+      else

+	{

+	  msg (M_CLIENT, "ERROR: remote command failed");

+	}

+    }

+  else

+    {

+      msg (M_CLIENT, "ERROR: The remote command is not supported by the current daemon mode");

+    }

+}

+

+#endif

+

 static void

 man_dispatch_command (struct management *man, struct status_output *so, const char **p, const int nparms)

 {

@@ -1319,6 +1342,13 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch

       man_http_proxy_fallback (man, NULL, NULL, NULL);

     }

 #endif

+#if MANAGEMENT_QUERY_REMOTE

+  else if (streq (p[0], "remote"))

+    {

+      if (man_need (man, p, 1, MN_AT_LEAST))

+	man_remote (man, p);

+    }

+#endif

 #if 1

   else if (streq (p[0], "test"))

     {

@@ -2339,6 +2369,12 @@ management_notify(struct management *man, const char *severity, const char *type

   msg (M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);

 }

+void

+management_notify_generic (struct management *man, const char *str)

+{

+  msg (M_CLIENT, "%s", str);

+}

+

 #ifdef MANAGEMENT_DEF_AUTH

 static bool

@@ -2843,7 +2879,8 @@ bool

 management_query_user_pass (struct management *man,

 			    struct user_pass *up,

 			    const char *type,

-			    const unsigned int flags)

+			    const unsigned int flags,

+			    const char *static_challenge)

 {

   struct gc_arena gc = gc_new ();

   bool ret = false;

@@ -2856,7 +2893,9 @@ management_query_user_pass (struct management *man,

       const char *alert_type = NULL;

       const char *prefix = NULL;

       unsigned int up_query_mode = 0;

-

+#ifdef ENABLE_CLIENT_CR

+      const char *sc = NULL;

+#endif

       ret = true;

       man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */

       man->persist.special_state_msg = NULL;

@@ -2886,6 +2925,10 @@ management_query_user_pass (struct management *man,

 	  up_query_mode = UP_QUERY_USER_PASS;

 	  prefix = "PASSWORD";

 	  alert_type = "username/password";

+#ifdef ENABLE_CLIENT_CR

+	  if (static_challenge)

+	    sc = static_challenge;

+#endif

 	}

       buf_printf (&alert_msg, ">%s:Need '%s' %s",

 		  prefix,

@@ -2895,6 +2938,13 @@ management_query_user_pass (struct management *man,

       if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))

 	buf_printf (&alert_msg, " MSG:%s", up->username);

+#ifdef ENABLE_CLIENT_CR

+      if (sc)

+	buf_printf (&alert_msg, " SC:%d,%s",

+		    BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO),

+		    sc);

+#endif

+

       man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);

       if (signal_received)

 	ret = false;

@@ -2908,7 +2958,7 @@ management_query_user_pass (struct management *man,

 	  man->connection.up_query_mode = up_query_mode;

 	  man->connection.up_query_type = type;

-	  /* run command processing event loop until we get our username/password */

+	  /* run command processing event loop until we get our username/password/response */

 	  do

 	    {

 	      man_standalone_event_loop (man, &signal_received, 0);

@@ -174,6 +174,9 @@ struct management_callback

 #if HTTP_PROXY_FALLBACK

   bool (*http_proxy_fallback_cmd) (void *arg, const char *server, const char *port, const char *flags);

 #endif

+#if MANAGEMENT_QUERY_REMOTE

+  bool (*remote_cmd) (void *arg, const char **p);

+#endif

 };

 /*

@@ -333,6 +336,9 @@ struct management *management_init (void);

 # define MF_EXTERNAL_KEY    (1<<9)

 #endif

 #define MF_UP_DOWN          (1<<10)

+#if MANAGEMENT_QUERY_REMOTE

+#define MF_QUERY_REMOTE     (1<<11)

+#endif

 bool management_open (struct management *man,

 		      const char *addr,

@@ -365,7 +371,11 @@ void management_set_callback (struct management *man,

 void management_clear_callback (struct management *man);

-bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const unsigned int flags);

+bool management_query_user_pass (struct management *man,

+				 struct user_pass *up,

+				 const char *type,

+				 const unsigned int flags,

+				 const char *static_challenge);

 bool management_should_daemonize (struct management *man);

 bool management_would_hold (struct management *man);

@@ -377,6 +387,8 @@ void management_up_down(struct management *man, const char *updown, const struct

 void management_notify(struct management *man, const char *severity, const char *type, const char *text);

+void management_notify_generic (struct management *man, const char *str);

+

 #ifdef MANAGEMENT_DEF_AUTH

 void management_notify_client_needing_auth (struct management *management,

 					    const unsigned int auth_id,

@@ -415,6 +427,14 @@ management_query_user_pass_enabled (const struct management *man)

   return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS);

 }

+#if MANAGEMENT_QUERY_REMOTE

+static inline bool

+management_query_remote_enabled (const struct management *man)

+{

+  return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE);

+}

+#endif

+

 #ifdef MANAGEMENT_PF

 static inline bool

 management_enable_pf (const struct management *man)

@@ -687,6 +687,38 @@ the 10.0.0.0/8 netblock is allowed: 10.10.0.1.  Also, the client

 may not interact with external IP addresses using an "unknown"

 protocol (i.e. one that is not IPv4 or ARP).

+COMMAND -- remote  (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher)

+--------------------------------------------

+

+Provide remote host/port in response to a >REMOTE notification

+(client only).  Requires that the --management-query-remote

+directive is used.

+

+  remote ACTION [HOST PORT]

+

+The "remote" command should only be given in response to a >REMOTE

+notification.  For example, the following >REMOTE notification

+indicates that the client config file would ordinarily connect

+to vpn.example.com port 1194 (UDP):

+

+  >REMOTE:vpn.example.com,1194,udp

+

+Now, suppose we want to override the host and port, connecting

+instead to vpn.otherexample.com port 1234.  After receiving

+the above notification, use this command:

+

+  remote MOD vpn.otherexample.com 1234

+

+To accept the same host and port as the client would ordinarily

+have connected to, use this command:

+

+  remote ACCEPT

+

+To skip the current connection entry and advance to the next one,

+use this command:

+

+  remote SKIP

+

 OUTPUT FORMAT

 -------------

@@ -836,3 +868,113 @@ mappings, when not in single quotations:

          interpret it as enclosing a parameter.

 \[SPACE] Pass a literal space or tab character, don't

          interpret it as a parameter delimiter.

+

+Challenge/Response Protocol

+---------------------------

+

+The OpenVPN Challenge/Response Protocol allows an OpenVPN server to

+generate challenge questions that are shown to the user, and to see

+the user's responses to those challenges.  Based on the responses, the

+server can allow or deny access.

+

+In this way, the OpenVPN Challenge/Response Protocol can be used

+to implement multi-factor authentication.  Two different

+variations on the challenge/response protocol are supported: the

+"Dynamic" and "Static" protocols.

+

+The basic idea of Challenge/Response is that the user must enter an

+additional piece of information, in addition to the username and

+password, to successfully authenticate.  Normally, this information

+is used to prove that the user posesses a certain key-like device

+such as cryptographic token or a particular mobile phone.

+

+Dynamic protocol:

+

+The OpenVPN dynamic challenge/response protocol works by returning

+a specially formatted error message after initial successful

+authentication.  This error message contains the challenge question,

+and is formatted as such:

+

+  CRV1:<flags>:<state_id>:<username_base64>:<challenge_text>

+

+flags: a series of optional, comma-separated flags:

+ E : echo the response when the user types it

+ R : a response is required

+

+state_id: an opaque string that should be returned to the server

+ along with the response.

+

+username_base64 : the username formatted as base64

+

+challenge_text : the challenge text to be shown to the user

+

+Example challenge:

+

+  CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN

+

+After showing the challenge_text and getting a response from the user

+(if R flag is specified), the client should submit the following

+auth creds back to the OpenVPN server:

+

+Username: [username decoded from username_base64]

+Password: CRV1::<state_id>::<response_text>

+

+Where state_id is taken from the challenge request and response_text

+is what the user entered in response to the challenge_text.

+If the R flag is not present, response_text may be the empty

+string.

+

+Example response (suppose the user enters "8675309" for the token PIN):

+

+  Username: cr1 ("Y3Ix" base64 decoded)

+  Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309

+

+Static protocol:

+

+The static protocol differs from the dynamic protocol in that the

+challenge question and response field is given to the user in the

+initial username/password dialog, and the username, password, and

+response are delivered back to the server in a single transaction.

+

+The "static-challenge" directive is used to give the challenge text

+to OpenVPN and indicate whether or not the response should be echoed.

+

+When the "static-challenge" directive is used, the management

+interface will respond as such when credentials are needed:

+

+  >PASSWORD:Need 'Auth' username/password SC:<ECHO>,<TEXT>

+

+  ECHO: "1" if response should be echoed, "0" to not echo

+  TEXT: challenge text that should be shown to the user to

+      facilitate their response

+

+For example:

+

+  >PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN

+

+The above notification indicates that OpenVPN needs a --auth-user-pass

+password plus a response to a static challenge ("Please enter token PIN").

+The "1" after the "SC:" indicates that the response should be echoed.

+

+The management interface client in this case should add the static

+challenge text to the auth dialog followed by a field for the user to

+enter a response.  Then the client should pack the password and response

+together into an encoded password:

+

+  username "Auth" foo

+  password "Auth" "SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>"

+

+For example, if the user entered "bar" as the password and 8675309

+as the PIN, the following management interface commands should be

+issued:

+

+  username "Auth" foo

+  password "Auth" "SCRV1:Zm9v:ODY3NTMwOQ=="

+

+Client-side support for challenge/response protocol:

+

+Currently, the Access Server client and standalone OpenVPN

+client support both static and dynamic challenge/response

+protocols.  However, any OpenVPN client UI that drives OpenVPN

+via the management interface needs to add explicit support

+for the challenge/response protocol.

@@ -1403,10 +1403,16 @@ get_user_pass_cr (struct user_pass *up,

 	  && ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT)))

 	  && management_query_user_pass_enabled (management))

 	{

+	  const char *sc = NULL;

+

 	  if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)

 	    management_auth_failure (management, prefix, "previous auth credentials failed");

-	  if (!management_query_user_pass (management, up, prefix, flags))

+#ifdef ENABLE_CLIENT_CR

+	  if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))

+	    sc = auth_challenge;

+#endif

+	  if (!management_query_user_pass (management, up, prefix, flags, sc))

 	    {

 	      if ((flags & GET_USER_PASS_NOFATAL) != 0)

 		return false;

@@ -1438,7 +1444,7 @@ get_user_pass_cr (struct user_pass *up,

       else if (from_stdin)

 	{

 #ifdef ENABLE_CLIENT_CR

-	  if (auth_challenge)

+	  if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))

 	    {

 	      struct auth_challenge_info *ac = get_auth_challenge (auth_challenge, &gc);

 	      if (ac)

@@ -1447,7 +1453,7 @@ get_user_pass_cr (struct user_pass *up,

 		  struct buffer packed_resp;

 		  buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);

-		  msg (M_INFO, "CHALLENGE: %s", ac->challenge_text);

+		  msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text);

 		  if (!get_console_input ("Response:", BOOL_CAST(ac->flags&CR_ECHO), response, USER_PASS_LEN))

 		    msg (M_FATAL, "ERROR: could not read challenge response from stdin");

 		  strncpynt (up->username, ac->user, USER_PASS_LEN);

@@ -1477,6 +1483,28 @@ get_user_pass_cr (struct user_pass *up,

 	      if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))

 		msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);

+

+#ifdef ENABLE_CLIENT_CR

+	      if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))

+		{

+		  char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc);

+		  struct buffer packed_resp;

+		  char *pw64=NULL, *resp64=NULL;

+

+		  msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", auth_challenge);

+		  if (!get_console_input ("Response:", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), response, USER_PASS_LEN))

+		    msg (M_FATAL, "ERROR: could not read static challenge response from stdin");

+		  if (base64_encode(up->password, strlen(up->password), &pw64) == -1

+		      || base64_encode(response, strlen(response), &resp64) == -1)

+		    msg (M_FATAL, "ERROR: could not base64-encode password/static_response");

+		  buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);

+		  buf_printf (&packed_resp, "SCRV1:%s:%s", pw64, resp64);

+		  string_clear(pw64);

+		  free(pw64);

+		  string_clear(resp64);

+		  free(resp64);

+		}

+#endif

 	    }

 	}

       else

@@ -1544,42 +1572,8 @@ get_user_pass_cr (struct user_pass *up,

 #ifdef ENABLE_CLIENT_CR

 /*

- * Parse a challenge message returned along with AUTH_FAILED.

- * The message is formatted as such:

- *

- *  CRV1:<flags>:<state_id>:<username_base64>:<challenge_text>

- *

- * flags: a series of optional, comma-separated flags:

- *  E : echo the response when the user types it

- *  R : a response is required

- *

- * state_id: an opaque string that should be returned to the server

- *  along with the response.

- *

- * username_base64 : the username formatted as base64

- *

- * challenge_text : the challenge text to be shown to the user

- *

- * Example challenge:

- *

- *   CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN

- *

- * After showing the challenge_text and getting a response from the user

- * (if R flag is specified), the client should submit the following

- * auth creds back to the OpenVPN server:

- *

- * Username: [username decoded from username_base64]

- * Password: CRV1::<state_id>::<response_text>

- *

- * Where state_id is taken from the challenge request and response_text

- * is what the user entered in response to the challenge_text.

- * If the R flag is not present, response_text may be the empty

- * string.

- *

- * Example response (suppose the user enters "8675309" for the token PIN):

- *

- *   Username: cr1 ("Y3Ix" base64 decoded)

- *   Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309

+ * See management/management-notes.txt for more info on the

+ * the dynamic challenge/response protocol implemented here.

  */

 struct auth_challenge_info *

 get_auth_challenge (const char *auth_challenge, struct gc_arena *gc)

@@ -278,8 +278,19 @@ struct auth_challenge_info {

 struct auth_challenge_info *get_auth_challenge (const char *auth_challenge, struct gc_arena *gc);

+/*

+ * Challenge response info on client as pushed by server.

+ */

+struct static_challenge_info {

+# define SC_ECHO     (1<<0) /* echo response when typed by user */

+  unsigned int flags;

+

+  const char *challenge_text;

+};

+

 #else

 struct auth_challenge_info {};

+struct static_challenge_info {};

 #endif

 bool get_console_input (const char *prompt, const bool echo, char *input, const int capacity);

@@ -295,6 +306,10 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const

 #define GET_USER_PASS_NEED_STR      (1<<5)

 #define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6)

+#define GET_USER_PASS_DYNAMIC_CHALLENGE      (1<<7) /* CRV1 protocol  -- dynamic challenge */

+#define GET_USER_PASS_STATIC_CHALLENGE       (1<<8) /* SCRV1 protocol -- static challenge */

+#define GET_USER_PASS_STATIC_CHALLENGE_ECHO  (1<<9) /* SCRV1 protocol -- echo response */

+

 bool get_user_pass_cr (struct user_pass *up,

 		       const char *auth_file,

 		       const char *prefix,

@@ -150,11 +150,6 @@ multi_tcp_instance_specific_init (struct multi_context *m, struct multi_instance

   ASSERT (mi->context.c2.link_socket);

   ASSERT (mi->context.c2.link_socket->info.lsa);

   ASSERT (mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM);

-  ASSERT (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET

-#ifdef USE_PF_INET6

-	  || mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6

-#endif

-	  );

   if (!mroute_extract_openvpn_sockaddr (&mi->real, &mi->context.c2.link_socket->info.lsa->actual.dest, true))

     {

       msg (D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined");

@@ -1114,8 +1114,8 @@ addresses in packets.

 .\"*********************************************************

 .TP

 .B \-\-redirect-gateway flags...

-(Experimental) Automatically execute routing commands to cause all outgoing IP traffic

-to be redirected over the VPN.

+Automatically execute routing commands to cause all outgoing IP traffic

+to be redirected over the VPN.  This is a client-side option.

 This option performs three steps:

@@ -1154,6 +1154,11 @@ flag will cause step

 .B 1

 above to be omitted.

+.B autolocal \-\-

+Try to automatically determine whether to enable

+.B local

+flag above.

+

 .B def1 \-\-

 Use this flag to override

 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1

@@ -1172,12 +1177,10 @@ bypasses the tunnel

 (Available on Windows clients, may not be available

 on non-Windows clients).

-Using the def1 flag is highly recommended.

-.\"*********************************************************

-.TP

-.B \-\-redirect-private [flags]

-Like \-\-redirect-gateway, but omit actually changing the default

-gateway.  Useful when pushing private subnets.

+.B block-local \-\-

+Block access to local LAN when the tunnel is active, except for

+the LAN gateway itself.  This is accomplished by routing the local

+LAN (except for the LAN gateway address) into the tunnel.

 .\"*********************************************************

 .TP

 .B \-\-link-mtu n

@@ -1185,6 +1188,12 @@ Sets an upper bound on the size of UDP packets which are sent

 between OpenVPN peers.  It's best not to set this parameter unless

 you know what you're doing.

 .\"*********************************************************

+.\"*********************************************************

+.TP

+.B \-\-redirect-private [flags]

+Like \-\-redirect-gateway, but omit actually changing the default

+gateway.  Useful when pushing private subnets.

+.\"*********************************************************

 .TP

 .B \-\-tun-mtu n

 Take the TUN device MTU to be

@@ -2406,6 +2415,12 @@ for inputs which ordinarily would have been queried from the

 console.

 .\"*********************************************************

 .TP

+.B \-\-management-query-remote

+Allow management interface to override

+.B \-\-remote

+directives (client-only).

+.\"*********************************************************

+.TP

 .B \-\-management-forget-disconnect

 Make OpenVPN forget passwords when management session

 disconnects.

@@ -3425,6 +3440,21 @@ Note that while this option cannot be pushed, it can be controlled

 from the management interface.

 .\"*********************************************************

 .TP

+.B \-\-static\-challenge t e

+Enable static challenge/response protocol using challenge text

+.B t,

+with

+echo flag given by

+.B e

+(0|1).

+

+The echo flag indicates whether or not the user's response

+to the challenge should be echoed.

+

+See management\-notes.txt in the OpenVPN distribution for a

+description of the OpenVPN challenge/response protocol.

+.\"*********************************************************

+.TP

 .B \-\-server-poll-timeout n

 when polling possible remote servers to connect to

 in a round-robin fashion, spend no more than

@@ -5532,6 +5562,7 @@ script being run.  It can be one of the following:

 .B client-connect, client-disconnect, 

 or

 .B learn-address.

+Set prior to execution of any script.

 .\"*********************************************************

 .TP

 .B signal

@@ -358,6 +358,9 @@ static const char usage_message[] =

   "                      ip/port rather than listen as a TCP server.\n"

   "--management-query-passwords : Query management channel for private key\n"

   "                  and auth-user-pass passwords.\n"