diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-19 18:23:00 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-22 22:00:32 +0100 |
| commit | 06447c39fad2398e4c35c56acc5e66cc1e581f65 (patch) | |
| tree | bd9d332f9d114ce2ae8f147b637c4900438aa547 | |
| parent | installer: remove admin knobs in cleanup (diff) | |
| download | wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.tar.xz wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.zip | |
tunnel: only enable DNS blocking for 0/0 configs
This lets people use split tunnel DNS for the more common case.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
| -rw-r--r-- | tunnel/addressconfig.go | 10 | ||||
| -rw-r--r-- | tunnel/firewall/blocker.go | 56 | ||||
| -rw-r--r-- | tunnel/service.go | 1 | ||||
| -rw-r--r-- | ui/editdialog.go | 2 |
4 files changed, 29 insertions, 40 deletions
diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go index 6aba9ce8..c293df1b 100644 --- a/tunnel/addressconfig.go +++ b/tunnel/addressconfig.go @@ -180,7 +180,6 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t } func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { - restrictAll := false if len(conf.Peers) == 1 { nextallowedip: for _, allowedip := range conf.Peers[0].AllowedIPs { @@ -190,13 +189,10 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { continue nextallowedip } } - restrictAll = true - break + log.Println("Enabling firewall rules") + return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS) } } } - if restrictAll && len(conf.Interface.DNS) == 0 { - log.Println("Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.") - } - return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS, restrictAll) + return nil } diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index 7da391ca..54645d24 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return bo, nil } -func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool) error { +func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { if wfpSession != 0 { return errors.New("The firewall has already been enabled") } @@ -129,11 +129,9 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool } } - if restrictAll { - err = permitLoopback(session, baseObjects, 13) - if err != nil { - return wrapErr(err) - } + err = permitLoopback(session, baseObjects, 13) + if err != nil { + return wrapErr(err) } err = permitTunInterface(session, baseObjects, 12, luid) @@ -141,36 +139,32 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool return wrapErr(err) } - if restrictAll { - err = permitDHCPIPv4(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv4(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv6(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv6(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitNdp(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitNdp(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. - * In other words, if somebody complains, try enabling it. For now, keep it off. - err = permitHyperV(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } - */ + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. + err = permitHyperV(session, baseObjects, 12) + if err != nil { + return wrapErr(err) } + */ - if restrictAll { - err = blockAll(session, baseObjects, 0) - if err != nil { - return wrapErr(err) - } + err = blockAll(session, baseObjects, 0) + if err != nil { + return wrapErr(err) } return nil diff --git a/tunnel/service.go b/tunnel/service.go index 8b81f56d..33b5c116 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -171,7 +171,6 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest, log.Printf("Using Wintun/%d.%d", (wintunVersion>>16)&0xffff, wintunVersion&0xffff) } - log.Println("Enabling firewall rules") err = enableFirewall(conf, nativeTun) if err != nil { serviceError = services.ErrorFirewall diff --git a/ui/editdialog.go b/ui/editdialog.go index 5c6d0ac0..97dcb612 100644 --- a/ui/editdialog.go +++ b/ui/editdialog.go @@ -129,7 +129,7 @@ func newEditDialog(owner walk.Form, tunnel *manager.Tunnel) (*EditDialog, error) return nil, err } dlg.blockUntunneledTrafficCB.SetText(l18n.Sprintf("&Block untunneled traffic (kill-switch)")) - dlg.blockUntunneledTrafficCB.SetToolTipText(l18n.Sprintf("When a configuration has exactly one peer, and that peer has an allowed IPs containing at least one of 0.0.0.0/0 or ::/0, then the tunnel service engages a firewall ruleset to block all traffic that is neither to nor from the tunnel interface, with special exceptions for DHCP and NDP.")) + dlg.blockUntunneledTrafficCB.SetToolTipText(l18n.Sprintf("When a configuration has exactly one peer, and that peer has an allowed IPs containing at least one of 0.0.0.0/0 or ::/0, then the tunnel service engages a firewall ruleset to block all traffic that is neither to nor from the tunnel interface or is to the wrong DNS server, with special exceptions for DHCP and NDP.")) dlg.blockUntunneledTrafficCB.SetVisible(false) dlg.blockUntunneledTrafficCB.CheckedChanged().Attach(dlg.onBlockUntunneledTrafficCBCheckedChanged) |