service: wire up firewall

author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-03 16:53:05 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-03 16:53:05 +0200
commit: 9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed (patch)
tree: 18943c62deb6aa40cdaa4a2b6cad931546d0ff43
parent: firewall: introduce incomplete untested prototype (diff)
download: wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.tar.xz
wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.zip
4 files changed, 57 insertions, 18 deletions
diff --git a/service/errors.go b/service/errors.go
index e456818b..ecc0283a 100644
--- a/service/errors.go
+++ b/service/errors.go
@@ -21,6 +21,7 @@ const (
 	ErrorDetermineWintunName
 	ErrorUAPIListen
 	ErrorDNSLookup
+	ErrorFirewall
 	ErrorDeviceSetConfig
 	ErrorBindSocketsToDefaultRoutes
 	ErrorSetNetConfig
@@ -51,6 +52,8 @@ func (e Error) Error() string {
 		return "Unable to listen on named pipe"
 	case ErrorDNSLookup:
 		return "Unable to resolve one or more DNS hostname endpoints"
+	case ErrorFirewall:
+		return "Unable to enable firewall rules"
 	case ErrorDeviceSetConfig:
 		return "Unable to set device configuration"
 	case ErrorBindSocketsToDefaultRoutes:
diff --git a/service/ifaceconfig.go b/service/ifaceconfig.go
index d1f8f2d1..6f2320cf 100644
--- a/service/ifaceconfig.go
+++ b/service/ifaceconfig.go
@@ -12,6 +12,8 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/conf"
+	"golang.zx2c4.com/wireguard/windows/service/firewall"
+	"log"
 	"net"
 	"sort"
 )
@@ -264,3 +266,26 @@ func configureInterface(conf *conf.Config, tun *tun.NativeTun) error {
 
 	return nil
 }
+
+func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
+	guid := tun.GUID()
+	luid, err := winipcfg.InterfaceGuidToLuid(&guid)
+	if err != nil {
+		return err
+	}
+	restrictDNS := len(conf.Interface.Dns) > 0
+	restrictAll := false
+	for _, peer := range conf.Peers {
+		for _, allowedip := range peer.AllowedIPs {
+			if allowedip.Cidr == 0 {
+				restrictAll = true
+				break
+			}
+		}
+	}
+	if restrictAll && !restrictDNS {
+		name, _ := tun.Name()
+		log.Printf("[%s] Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.", name)
+	}
+	return firewall.EnableFirewall(luid, restrictDNS, restrictAll)
+}
diff --git a/service/service_manager.go b/service/service_manager.go
index 9d60b57c..069bf459 100644
--- a/service/service_manager.go
+++ b/service/service_manager.go
@@ -51,8 +51,6 @@ type wtsSessionInfo struct {
 	state             wtsState
 }
 
-type wellKnownSidType uint32
-
 //sys wtsQueryUserToken(session uint32, token *windows.Token) (err error) = wtsapi32.WTSQueryUserToken
 //sys wtsEnumerateSessions(handle windows.Handle, reserved uint32, version uint32, sessions **wtsSessionInfo, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW
 //sys wtsFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory
diff --git a/service/service_tunnel.go b/service/service_tunnel.go
index 419cfdbe..01e7b417 100644
--- a/service/service_tunnel.go
+++ b/service/service_tunnel.go
@@ -119,47 +119,45 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest,
 	logger = &device.Logger{stdLog, stdLog, stdLog}
 
 	logger.Info.Println("Starting wireguard-go version", device.WireGuardGoVersion)
-	logger.Debug.Println("Debug log enabled")
 
+	logger.Info.Println("Resolving DNS names")
 	uapiConf, err := conf.ToUAPI()
 	if err != nil {
 		serviceError = ErrorDNSLookup
 		return
 	}
 
+	logger.Info.Println("Creating Wintun device")
 	wintun, err := tun.CreateTUN(conf.Name)
 	if err != nil {
 		serviceError = ErrorCreateWintun
 		return
 	}
+	logger.Info.Println("Determining Wintun device name")
 	realInterfaceName, err := wintun.Name()
 	if err != nil {
 		serviceError = ErrorDetermineWintunName
 		return
 	}
 	conf.Name = realInterfaceName
+	nativeTun := wintun.(*tun.NativeTun)
+
+	logger.Info.Println("Enabling firewall rules")
+	err = enableFirewall(conf, nativeTun)
+	if err != nil {
+		serviceError = ErrorFirewall
+		return
+	}
 
+	logger.Info.Println("Creating interface instance")
 	dev = device.NewDevice(wintun, logger)
-	dev.Up()
-	logger.Info.Println("Device started")
 
+	logger.Info.Println("Setting interface configuration")
 	uapi, err = ipc.UAPIListen(conf.Name)
 	if err != nil {
 		serviceError = ErrorUAPIListen
 		return
 	}
-
-	go func() {
-		for {
-			conn, err := uapi.Accept()
-			if err != nil {
-				continue
-			}
-			go dev.IpcHandle(conn)
-		}
-	}()
-	logger.Info.Println("UAPI listener started")
-
 	ipcErr := dev.IpcSetOperation(bufio.NewReader(strings.NewReader(uapiConf)))
 	if ipcErr != nil {
 		err = ipcErr
@@ -167,21 +165,36 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest,
 		return
 	}
 
-	nativeTun := wintun.(*tun.NativeTun)
+	logger.Info.Println("Bringing peers up")
+	dev.Up()
 
+	logger.Info.Println("Monitoring default routes")
 	routeChangeCallback, err = monitorDefaultRoutes(dev, conf.Interface.Mtu == 0, nativeTun)
 	if err != nil {
 		serviceError = ErrorBindSocketsToDefaultRoutes
 		return
 	}
 
+	logger.Info.Println("Setting device address")
 	err = configureInterface(conf, nativeTun)
 	if err != nil {
 		serviceError = ErrorSetNetConfig
 		return
 	}
 
+	logger.Info.Println("Listening for UAPI requests")
+	go func() {
+		for {
+			conn, err := uapi.Accept()
+			if err != nil {
+				continue
+			}
+			go dev.IpcHandle(conn)
+		}
+	}()
+
 	changes <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop}
+	logger.Info.Println("Startup complete")
 
 	for {
 		select {
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-03 16:53:05 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-03 16:53:05 +0200
commit	9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed (patch)
tree	18943c62deb6aa40cdaa4a2b6cad931546d0ff43
parent	firewall: introduce incomplete untested prototype (diff)
download	wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.tar.xz wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.zip