Add OpenVPN TCP for guest holes [VPNWIN-2832]

Mindaugas Veblauskas · Thomas Felices · commit d823fa7dc7eb · 2025-06-13T11:38:32.000Z
diff --git a/src/Client/Logic/Connection/ProtonVPN.Client.Logic.Connection/RequestCreators/GuestHoleConnectionRequestCreator.cs b/src/Client/Logic/Connection/ProtonVPN.Client.Logic.Connection/RequestCreators/GuestHoleConnectionRequestCreator.cs
@@ -1,5 +1,5 @@
 ﻿/*
- * Copyright (c) 2023 Proton AG
+ * Copyright (c) 2025 Proton AG
  *
  * This file is part of ProtonVPN.
  *
@@ -23,6 +23,7 @@
 using ProtonVPN.Client.Logic.Connection.Contracts.RequestCreators;
 using ProtonVPN.Client.Settings.Contracts;
 using ProtonVPN.Common.Legacy.Vpn;
+using ProtonVPN.Configurations.Contracts;
 using ProtonVPN.EntityMapping.Contracts;
 using ProtonVPN.Logging.Contracts;
 using ProtonVPN.ProcessCommunication.Contracts.Entities.Settings;
@@ -32,30 +33,34 @@ namespace ProtonVPN.Client.Logic.Connection.RequestCreators;
 
 public class GuestHoleConnectionRequestCreator : ConnectionRequestCreatorBase, IGuestHoleConnectionRequestCreator
 {
+    private readonly IConfiguration _config;
     private readonly IConnectionKeyManager _connectionKeyManager;
 
     public GuestHoleConnectionRequestCreator(
+        IConfiguration config,
         ILogger logger,
         ISettings settings,
         IEntityMapper entityMapper,
         IConnectionKeyManager connectionKeyManager,
         IMainSettingsRequestCreator mainSettingsRequestCreator)
         : base(logger, settings, entityMapper, mainSettingsRequestCreator)
     {
+        _config = config;
         _connectionKeyManager = connectionKeyManager;
     }
 
     public async Task<ConnectionRequestIpcEntity> CreateAsync(IEnumerable<GuestHoleServerContract> servers)
     {
         MainSettingsIpcEntity settings = GetSettings();
-        settings.VpnProtocol = VpnProtocolIpcEntity.WireGuardTls;
+        settings.OpenVpnAdapter = OpenVpnAdapterIpcEntity.Tap;
+        settings.VpnProtocol = VpnProtocolIpcEntity.Smart;
 
         ConnectionRequestIpcEntity request = new()
         {
             RetryId = Guid.NewGuid(),
             Config = GetVpnConfig(settings),
             Credentials = await GetVpnCredentialsAsync(),
-            Protocol = VpnProtocolIpcEntity.WireGuardTls,
+            Protocol = VpnProtocolIpcEntity.Smart,
             Servers = GetVpnServers(servers),
             Settings = settings,
         };
@@ -68,19 +73,33 @@ protected override VpnConfigIpcEntity GetVpnConfig(MainSettingsIpcEntity setting
         return new()
         {
             VpnProtocol = settings.VpnProtocol,
-            PreferredProtocols = [ VpnProtocolIpcEntity.WireGuardTls ],
-            Ports = { { VpnProtocolIpcEntity.WireGuardTls, Settings.WireGuardTlsPorts } },
+            PreferredProtocols = [
+                VpnProtocolIpcEntity.WireGuardTls,
+                VpnProtocolIpcEntity.OpenVpnTcp,
+            ],
+            Ports = {
+                { VpnProtocolIpcEntity.WireGuardTls, Settings.WireGuardTlsPorts },
+                { VpnProtocolIpcEntity.OpenVpnTcp, Settings.OpenVpnTcpPorts },
+            },
         };
     }
 
     protected override Task<VpnCredentialsIpcEntity> GetVpnCredentialsAsync()
     {
         VpnCredentialsIpcEntity credentials = EntityMapper.Map<VpnCredentials, VpnCredentialsIpcEntity>(
-            new VpnCredentials(_connectionKeyManager.GenerateTemporaryKeyPair()));
+            new VpnCredentials(
+                _connectionKeyManager.GenerateTemporaryKeyPair(),
+                AddSuffixToUsername(_config.GuestHoleVpnUsername),
+                _config.GuestHoleVpnPassword));
 
         return Task.FromResult(credentials);
     }
 
+    private string AddSuffixToUsername(string username)
+    {
+        return username + _config.VpnUsernameSuffix;
+    }
+
     private VpnServerIpcEntity[] GetVpnServers(IEnumerable<GuestHoleServerContract> servers)
     {
         return servers
diff --git a/src/Configurations/ProtonVPN.Configurations.Contracts/IConfiguration.cs b/src/Configurations/ProtonVPN.Configurations.Contracts/IConfiguration.cs
@@ -1,5 +1,5 @@
 ﻿/*
- * Copyright (c) 2023 Proton AG
+ * Copyright (c) 2025 Proton AG
  *
  * This file is part of ProtonVPN.
  *
@@ -29,6 +29,8 @@ public interface IConfiguration : IStaticConfiguration
     string ApiVersion { get; }
     string ServerValidationPublicKey { get; }
 
+    string GuestHoleVpnUsername { get; }
+    string GuestHoleVpnPassword { get; }
     string VpnUsernameSuffix { get; }
     string DoHVerifyApiHost { get; }
 
diff --git a/src/Configurations/ProtonVPN.Configurations/Configuration.cs b/src/Configurations/ProtonVPN.Configurations/Configuration.cs
@@ -30,6 +30,8 @@ public partial class Configuration : StaticConfiguration, IConfiguration
     public string ApiVersion => Get();
     public string ServerValidationPublicKey => Get();
 
+    public string GuestHoleVpnUsername => Get();
+    public string GuestHoleVpnPassword => Get();
     public string VpnUsernameSuffix => Get();
     public string DoHVerifyApiHost => Get();
 
diff --git a/src/Configurations/ProtonVPN.Configurations/Defaults/DefaultConfiguration.cs b/src/Configurations/ProtonVPN.Configurations/Defaults/DefaultConfiguration.cs
@@ -144,6 +144,8 @@ public static class DefaultConfiguration
 
     public static string ServerValidationPublicKey => "MCowBQYDK2VwAyEANpYpt/FlSRwEuGLMoNAGOjy1BTyEJPJvKe00oln7LZk=";
     public static string VpnUsernameSuffix => "+pw"; // p - proton, w - windows
+    public static string GuestHoleVpnUsername => "guest";
+    public static string GuestHoleVpnPassword => "guest";
     public static string DoHVerifyApiHost => "verify-api.protonvpn.com";
 
     public static string NtpServerUrl => "time.windows.com";
diff --git a/src/ProcessCommunication/ProtonVPN.ProcessCommunication.Contracts/Entities/Vpn/VpnCredentialsIpcEntity.cs b/src/ProcessCommunication/ProtonVPN.ProcessCommunication.Contracts/Entities/Vpn/VpnCredentialsIpcEntity.cs
@@ -31,4 +31,10 @@ public class VpnCredentialsIpcEntity
 
     [DataMember(Order = 2)]
     public AsymmetricKeyPairIpcEntity ClientKeyPair { get; set; }
+
+    [DataMember(Order = 3)]
+    public string Username { get; set; }
+
+    [DataMember(Order = 4)]
+    public string Password { get; set; }
 }
diff --git a/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping.Tests/Vpn/ConnectionRequestMapperTest.cs b/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping.Tests/Vpn/ConnectionRequestMapperTest.cs
@@ -117,7 +117,9 @@ public void TestMapLeftToRight()
             new VpnConfig(new VpnConfigParameters()),
             new VpnCredentials(string.Empty, DateTime.UtcNow.AddDays(1), new AsymmetricKeyPair(
                 new SecretKey("PVPN", KeyAlgorithm.Unknown),
-                new PublicKey("PVPN", KeyAlgorithm.Unknown))));
+                new PublicKey("PVPN", KeyAlgorithm.Unknown)),
+                "username",
+                "password"));
 
 
         ConnectionRequestIpcEntity result = _mapper.Map(entityToTest);
diff --git a/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping.Tests/Vpn/VpnCredentialsMapperTest.cs b/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping.Tests/Vpn/VpnCredentialsMapperTest.cs
@@ -71,14 +71,18 @@ public void TestMapLeftToRight_WithCertificate()
             DateTime.UtcNow.AddDays(1),
             new AsymmetricKeyPair(
                 new SecretKey("PVPN", KeyAlgorithm.Ed25519),
-                new PublicKey("PVPN", KeyAlgorithm.Ed25519)));
+                new PublicKey("PVPN", KeyAlgorithm.Ed25519)),
+            "username",
+            "password");
 
         VpnCredentialsIpcEntity result = _mapper.Map(entityToTest);
 
         Assert.IsNotNull(result);
         Assert.AreEqual(entityToTest.ClientCertPem, result.Certificate.Pem);
         Assert.AreEqual(entityToTest.ClientCertificateExpirationDateUtc, result.Certificate.ExpirationDateUtc);
         Assert.AreEqual(_expectedAsymmetricKeyPairIpcEntity, result.ClientKeyPair);
+        Assert.AreEqual(entityToTest.Username, result.Username);
+        Assert.AreEqual(entityToTest.Password, result.Password);
     }
 
     [TestMethod]
@@ -87,7 +91,9 @@ public void TestMapRightToLeft_WithCertificate()
         VpnCredentialsIpcEntity entityToTest = new()
         {
             Certificate = CreateCertificate(),
-            ClientKeyPair = new AsymmetricKeyPairIpcEntity()
+            ClientKeyPair = new AsymmetricKeyPairIpcEntity(),
+            Username = "username",
+            Password = "password",
         };
 
         VpnCredentials result = _mapper.Map(entityToTest);
@@ -96,6 +102,8 @@ public void TestMapRightToLeft_WithCertificate()
         Assert.AreEqual(entityToTest.Certificate.Pem, result.ClientCertPem);
         Assert.AreEqual(entityToTest.Certificate.ExpirationDateUtc, result.ClientCertificateExpirationDateUtc);
         Assert.AreEqual(_expectedAsymmetricKeyPair, result.ClientKeyPair);
+        Assert.AreEqual(entityToTest.Username, result.Username);
+        Assert.AreEqual(entityToTest.Password, result.Password);
     }
 
     private ConnectionCertificateIpcEntity CreateCertificate()
diff --git a/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping/Vpn/VpnCredentialsMapper.cs b/src/ProcessCommunication/ProtonVPN.ProcessCommunication.EntityMapping/Vpn/VpnCredentialsMapper.cs
@@ -1,5 +1,5 @@
 ﻿/*
- * Copyright (c) 2024 Proton AG
+ * Copyright (c) 2025 Proton AG
  *
  * This file is part of ProtonVPN.
  *
@@ -43,14 +43,18 @@ public VpnCredentialsIpcEntity Map(VpnCredentials leftEntity)
                 Pem = leftEntity.ClientCertPem ?? string.Empty,
                 ExpirationDateUtc = leftEntity.ClientCertificateExpirationDateUtc ?? DateTime.MinValue,
             },
-            ClientKeyPair = _entityMapper.Map<AsymmetricKeyPair, AsymmetricKeyPairIpcEntity>(leftEntity.ClientKeyPair)
+            ClientKeyPair = _entityMapper.Map<AsymmetricKeyPair, AsymmetricKeyPairIpcEntity>(leftEntity.ClientKeyPair),
+            Username = leftEntity.Username,
+            Password = leftEntity.Password,
         };
     }
 
     public VpnCredentials Map(VpnCredentialsIpcEntity rightEntity)
     {
         return new(rightEntity.Certificate.Pem,
             rightEntity.Certificate.ExpirationDateUtc,
-            _entityMapper.Map<AsymmetricKeyPairIpcEntity, AsymmetricKeyPair>(rightEntity.ClientKeyPair));
+            _entityMapper.Map<AsymmetricKeyPairIpcEntity, AsymmetricKeyPair>(rightEntity.ClientKeyPair),
+            rightEntity.Username,
+            rightEntity.Password);
     }
 }
diff --git a/src/ProtonVPN.Common.Legacy/Vpn/VpnCredentials.cs b/src/ProtonVPN.Common.Legacy/Vpn/VpnCredentials.cs
@@ -1,5 +1,5 @@
 ﻿/*
- * Copyright (c) 2023 Proton AG
+ * Copyright (c) 2025 Proton AG
  *
  * This file is part of ProtonVPN.
  *
@@ -28,21 +28,31 @@ public readonly struct VpnCredentials
     public VpnCredentials(
         string clientCertPem,
         DateTime? clientCertificateExpirationDateUtc,
-        AsymmetricKeyPair clientKeyPair)
+        AsymmetricKeyPair clientKeyPair,
+        string username,
+        string password)
     {
         Ensure.NotNull(clientKeyPair, nameof(clientKeyPair));
 
         ClientCertPem = clientCertPem;
         ClientCertificateExpirationDateUtc = clientCertificateExpirationDateUtc;
         ClientKeyPair = clientKeyPair;
+        Username = username;
+        Password = password;
     }
 
-    public VpnCredentials(AsymmetricKeyPair clientKeyPair) : this(string.Empty, null, clientKeyPair)
+    public VpnCredentials(AsymmetricKeyPair clientKeyPair) : this(string.Empty, null, clientKeyPair, string.Empty, string.Empty)
     {
     }
 
+    public VpnCredentials(AsymmetricKeyPair clientKeyPair, string username, string password) : this(string.Empty, null, clientKeyPair, username, password)
+    {
+    }
+
+    public string Username { get; }
+    public string Password { get; }
+
     public string ClientCertPem { get; }
     public DateTime? ClientCertificateExpirationDateUtc { get; }
-
     public AsymmetricKeyPair ClientKeyPair { get; }
 }
diff --git a/src/ProtonVPN.Vpn/Management/ManagementClient.cs b/src/ProtonVPN.Vpn/Management/ManagementClient.cs
@@ -170,6 +170,16 @@ private async void HandleMessage(ReceivedManagementMessage message)
                 _disconnectAccepted = true;
                 handled = true;
             }
+            else if (message.IsUsernameNeeded)
+            {
+                await TrySend(_managementChannel.Messages.Username(_credentials.Username));
+                handled = true;
+            }
+            else if (message.IsPasswordNeeded)
+            {
+                await TrySend(_managementChannel.Messages.Password(_credentials.Password));
+                handled = true;
+            }
             else if (message.IsControlMessage)
             {
                 HandleControlMessage(message);
diff --git a/src/ProtonVPN.Vpn/Management/ReceivedManagementMessage.cs b/src/ProtonVPN.Vpn/Management/ReceivedManagementMessage.cs
@@ -47,6 +47,10 @@ public ReceivedManagementMessage(string messageText)
 
         public bool IsByteCountSet => _messageText.StartsWithIgnoringCase("SUCCESS: bytecount");
 
+        public bool IsUsernameNeeded => _messageText.StartsWithIgnoringCase(">PASSWORD:Need");
+
+        public bool IsPasswordNeeded => _messageText.StartsWithIgnoringCase("SUCCESS: 'Auth' username entered");
+
         public bool IsLogSet => _messageText.StartsWithIgnoringCase("SUCCESS: real-time log notification set");
 
         public bool IsByteCount => _messageText.StartsWithIgnoringCase(">BYTECOUNT");
diff --git a/src/ProtonVPN.Vpn/OpenVpn/ConfigTemplate.cs b/src/ProtonVPN.Vpn/OpenVpn/ConfigTemplate.cs
@@ -50,9 +50,17 @@ public string GetConfig(VpnCredentials vpnCredentials)
             .AppendLine("key-direction 1")
             .AppendLine("disable-dco")
             .AppendLine(GetTlsAuth())
-            .AppendLine(GetCertificate())
-            .AppendLine("<cert>").AppendLine(vpnCredentials.ClientCertPem.Trim()).AppendLine("</cert>")
-            .AppendLine("<key>").AppendLine(vpnCredentials.ClientKeyPair.SecretKey.Pem).AppendLine("</key>");
+            .AppendLine(GetCertificate());
+
+        if (!string.IsNullOrEmpty(vpnCredentials.Username) && !string.IsNullOrEmpty(vpnCredentials.Password))
+        {
+            sb.AppendLine("auth-user-pass");
+        }
+        else
+        {
+            sb.AppendLine("<cert>").AppendLine(vpnCredentials.ClientCertPem.Trim()).AppendLine("</cert>");
+            sb.AppendLine("<key>").AppendLine(vpnCredentials.ClientKeyPair.SecretKey.Pem).AppendLine("</key>");
+        }
 
         return sb.ToString();
     }
diff --git a/src/Tests/ProtonVPN.Vpn.Tests/Connection/HandlingRequestsWrapperTest.cs b/src/Tests/ProtonVPN.Vpn.Tests/Connection/HandlingRequestsWrapperTest.cs
@@ -58,7 +58,9 @@ public void TestInitialize()
             DateTime.UtcNow.AddDays(1),
             new AsymmetricKeyPair(
                 new SecretKey("U2VjcmV0S2V5", KeyAlgorithm.Unknown),
-                new PublicKey("UHVibGljS2V5", KeyAlgorithm.Unknown)));
+                new PublicKey("UHVibGljS2V5", KeyAlgorithm.Unknown)),
+            "username",
+            "password");
         _config = new VpnConfig(new VpnConfigParameters());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2023 Proton AG`
	`2`	`+ * Copyright (c) 2025 Proton AG`
`3`	`3`	`*`
`4`	`4`	`* This file is part of ProtonVPN.`
`5`	`5`	`*`
`@@ -29,6 +29,8 @@ public interface IConfiguration : IStaticConfiguration`
`29`	`29`	`string ApiVersion { get; }`
`30`	`30`	`string ServerValidationPublicKey { get; }`
`31`	`31`
	`32`	`+ string GuestHoleVpnUsername { get; }`
	`33`	`+ string GuestHoleVpnPassword { get; }`
`32`	`34`	`string VpnUsernameSuffix { get; }`
`33`	`35`	`string DoHVerifyApiHost { get; }`
`34`	`36`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2024 Proton AG`
	`2`	`+ * Copyright (c) 2025 Proton AG`
`3`	`3`	`*`
`4`	`4`	`* This file is part of ProtonVPN.`
`5`	`5`	`*`
`@@ -43,14 +43,18 @@ public VpnCredentialsIpcEntity Map(VpnCredentials leftEntity)`
`43`	`43`	`Pem = leftEntity.ClientCertPem ?? string.Empty,`
`44`	`44`	`ExpirationDateUtc = leftEntity.ClientCertificateExpirationDateUtc ?? DateTime.MinValue,`
`45`	`45`	`},`
`46`		`- ClientKeyPair = _entityMapper.Map<AsymmetricKeyPair, AsymmetricKeyPairIpcEntity>(leftEntity.ClientKeyPair)`
	`46`	`+ ClientKeyPair = _entityMapper.Map<AsymmetricKeyPair, AsymmetricKeyPairIpcEntity>(leftEntity.ClientKeyPair),`
	`47`	`+ Username = leftEntity.Username,`
	`48`	`+ Password = leftEntity.Password,`
`47`	`49`	`};`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`public VpnCredentials Map(VpnCredentialsIpcEntity rightEntity)`
`51`	`53`	`{`
`52`	`54`	`return new(rightEntity.Certificate.Pem,`
`53`	`55`	`rightEntity.Certificate.ExpirationDateUtc,`
`54`		`- _entityMapper.Map<AsymmetricKeyPairIpcEntity, AsymmetricKeyPair>(rightEntity.ClientKeyPair));`
	`56`	`+ _entityMapper.Map<AsymmetricKeyPairIpcEntity, AsymmetricKeyPair>(rightEntity.ClientKeyPair),`
	`57`	`+ rightEntity.Username,`
	`58`	`+ rightEntity.Password);`
`55`	`59`	`}`
`56`	`60`	`}`