adrienverge · DimitriPapadopoulos · Dec 18, 2020 · Dec 8, 2020 · Dec 10, 2020 · Dec 15, 2022
diff --git a/configure.ac b/configure.ac
@@ -79,6 +79,8 @@ AC_CHECK_HEADERS([net/route.h], [], AC_MSG_ERROR([Required header not found]), [
 # Checks for optional header files.
 AC_CHECK_HEADERS([ \
 libutil.h \
+linux/if_ppp.h \
+linux/if_tun.h \
 mach/mach.h \
 pty.h \
 semaphore.h \

diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in
@@ -16,6 +16,7 @@ openfortivpn \- Client for PPP+TLS VPN tunnel services
 [\fB\-\-otp\-delay=\fI<delay>\fR]
 [\fB\-\-no\-ftm\-push\fR]
 [\fB\-\-realm=\fI<realm>\fR]
+[\fB\-\-tun=\fI<bool>\fR]
 [\fB\-\-ifname=\fI<interface>\fR]
 [\fB\-\-set\-routes=\fI<bool>\fR]
 [\fB\-\-no\-routes\fR]
@@ -106,6 +107,9 @@ authentication based on OTP will be used instead.
 Connect to the specified authentication realm. Defaults to empty, which
 is usually what you want.
 .TP
+\fB\-\-tun=\fI<bool>\fR
+Set to create a TUN device and use internal PPP code (experimental).
+.TP
 \fB\-\-ifname=\fI<interface>\fR
 Bind the connection to the specified network interface.
 .TP
@@ -182,9 +186,9 @@ OpenSSL ciphers to use. If default does not work, you can try alternatives
 such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of
 \fBopenssl\fP(1) (e.g. AES256-GCM-SHA384):
 
-$ openssl s_client -connect \fI<host:port>\fR
+  $ openssl s_client -connect \fI<host:port>\fR
 
-(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
+  (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
 
 \fBApplies to TLS v1.2 or lower only, not to be used with TLS v1.3 ciphers.\fR
 .TP

diff --git a/src/config.c b/src/config.c
@@ -51,6 +51,7 @@ const struct vpn_config invalid_cfg = {
 	.no_ftm_push = -1,
 	.pinentry = NULL,
 	.realm = {'\0'},
+	.tun = -1,
 	.iface_name = {'\0'},
 	.sni = {'\0'},
 	.set_routes = -1,
@@ -538,6 +539,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src)
 		free(dst->pinentry);
 		dst->pinentry = src->pinentry;
 	}
+	if (src->tun != invalid_cfg.tun)
+		dst->tun = src->tun;
 	if (src->realm[0])
 		strcpy(dst->realm, src->realm);
 	if (src->iface_name[0])

diff --git a/src/config.h b/src/config.h
@@ -95,6 +95,7 @@ struct vpn_config {
 	unsigned int		otp_delay;
 	int			no_ftm_push;
 	char			*pinentry;
+	int			tun;
 	char			iface_name[IF_NAMESIZE];
 	char			realm[REALM_SIZE + 1];
 

diff --git a/src/http.c b/src/http.c
@@ -832,6 +832,11 @@ static int parse_xml_config(struct tunnel *tunnel, const char *buffer)
 	if (!gateway)
 		log_warn("No gateway address, using interface for routing\n");
 
+	if (tunnel->config->tun) {
+		tunnel->ipv4.ip_addr.s_addr = inet_addr(gateway);
+		tunnel->ipv4.peer_addr.s_addr = inet_addr("192.0.2.1");
+	}
+
 	// The dns search string
 	val = buffer;
 	while ((val = xml_find('<', "dns", val, 2))) {