diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-23 20:25:34 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-23 20:31:23 +0100 |
| commit | fc1c72658f6f264e8983cb09ceee258309b78461 (patch) | |
| tree | d4070da577f10afda50a7931d91c75b13eab5e8f | |
| parent | mod: bump (diff) | |
| download | wireguard-windows-fc1c72658f6f264e8983cb09ceee258309b78461.tar.xz wireguard-windows-fc1c72658f6f264e8983cb09ceee258309b78461.zip | |
firewall: add allow rule for tunnel service process even when no blocking is required
This is essential for allowing incoming connections.
Reported-by: /u/Julien_Madagascar on Reddit
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
| -rw-r--r-- | docs/netquirk.md | 2 | ||||
| -rw-r--r-- | tunnel/addressconfig.go | 8 | ||||
| -rw-r--r-- | tunnel/firewall/blocker.go | 72 |
3 files changed, 43 insertions, 39 deletions
diff --git a/docs/netquirk.md b/docs/netquirk.md index 0a7f1963..b295b204 100644 --- a/docs/netquirk.md +++ b/docs/netquirk.md @@ -22,7 +22,7 @@ If you'd like to use a default route _without_ having these restrictive kill-swi ### Considerations for non-`/0` Allowed IPs -When the above conditions do not apply, routing and DNS information is handed to Windows in the typical way for Windows to manage. This includes its [ordinary multihomed DNS resolution behavior](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) as well as its ordinary routing table resolution. Users may make use of the normal Windows firewalling and network configuration capabilities to firewall this as needed. +When the above conditions do not apply, routing and DNS information is handed to Windows in the typical way for Windows to manage. This includes its [ordinary multihomed DNS resolution behavior](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) as well as its ordinary routing table resolution. Users may make use of the normal Windows firewalling and network configuration capabilities to firewall this as needed. One firewall rule is added, however, which allows the tunnel service to send and receive WireGuard packets. ### Network List Manager diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go index 571da9d1..d2667e21 100644 --- a/tunnel/addressconfig.go +++ b/tunnel/addressconfig.go @@ -180,6 +180,7 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t } func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { + doNotRestrict := true if len(conf.Peers) == 1 { nextallowedip: for _, allowedip := range conf.Peers[0].AllowedIPs { @@ -189,10 +190,11 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { continue nextallowedip } } - log.Println("Enabling firewall rules") - return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS) + doNotRestrict = false + break } } } - return nil + log.Println("Enabling firewall rules") + return firewall.EnableFirewall(tun.LUID(), doNotRestrict, conf.Interface.DNS) } diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index eb3c149d..b32a90e1 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return bo, nil } -func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { +func EnableFirewall(luid uint64, doNotRestrict bool, restrictToDNSServers []net.IP) error { if wfpSession != 0 { return errors.New("The firewall has already been enabled") } @@ -122,49 +122,51 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { return wrapErr(err) } - if len(restrictToDNSServers) > 0 { - err = blockDNS(restrictToDNSServers, session, baseObjects, 15, 14) + if !doNotRestrict { + if len(restrictToDNSServers) > 0 { + err = blockDNS(restrictToDNSServers, session, baseObjects, 15, 14) + if err != nil { + return wrapErr(err) + } + } + + err = permitLoopback(session, baseObjects, 13) if err != nil { return wrapErr(err) } - } - err = permitLoopback(session, baseObjects, 13) - if err != nil { - return wrapErr(err) - } - - err = permitTunInterface(session, baseObjects, 12, luid) - if err != nil { - return wrapErr(err) - } + err = permitTunInterface(session, baseObjects, 12, luid) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv4(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv4(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv6(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv6(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitNdp(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitNdp(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. - * In other words, if somebody complains, try enabling it. For now, keep it off. - err = permitHyperV(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } - */ + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. + err = permitHyperV(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } + */ - err = blockAll(session, baseObjects, 0) - if err != nil { - return wrapErr(err) + err = blockAll(session, baseObjects, 0) + if err != nil { + return wrapErr(err) + } } return nil |