diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 16:53:05 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 16:53:05 +0200 |
commit | 9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed (patch) | |
tree | 18943c62deb6aa40cdaa4a2b6cad931546d0ff43 | |
parent | firewall: introduce incomplete untested prototype (diff) | |
download | wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.tar.xz wireguard-windows-9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed.zip |
service: wire up firewall
Diffstat (limited to '')
-rw-r--r-- | service/errors.go | 3 | ||||
-rw-r--r-- | service/ifaceconfig.go | 25 | ||||
-rw-r--r-- | service/service_manager.go | 2 | ||||
-rw-r--r-- | service/service_tunnel.go | 45 |
4 files changed, 57 insertions, 18 deletions
diff --git a/service/errors.go b/service/errors.go index e456818b..ecc0283a 100644 --- a/service/errors.go +++ b/service/errors.go @@ -21,6 +21,7 @@ const ( ErrorDetermineWintunName ErrorUAPIListen ErrorDNSLookup + ErrorFirewall ErrorDeviceSetConfig ErrorBindSocketsToDefaultRoutes ErrorSetNetConfig @@ -51,6 +52,8 @@ func (e Error) Error() string { return "Unable to listen on named pipe" case ErrorDNSLookup: return "Unable to resolve one or more DNS hostname endpoints" + case ErrorFirewall: + return "Unable to enable firewall rules" case ErrorDeviceSetConfig: return "Unable to set device configuration" case ErrorBindSocketsToDefaultRoutes: diff --git a/service/ifaceconfig.go b/service/ifaceconfig.go index d1f8f2d1..6f2320cf 100644 --- a/service/ifaceconfig.go +++ b/service/ifaceconfig.go @@ -12,6 +12,8 @@ import ( "golang.zx2c4.com/wireguard/device" "golang.zx2c4.com/wireguard/tun" "golang.zx2c4.com/wireguard/windows/conf" + "golang.zx2c4.com/wireguard/windows/service/firewall" + "log" "net" "sort" ) @@ -264,3 +266,26 @@ func configureInterface(conf *conf.Config, tun *tun.NativeTun) error { return nil } + +func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { + guid := tun.GUID() + luid, err := winipcfg.InterfaceGuidToLuid(&guid) + if err != nil { + return err + } + restrictDNS := len(conf.Interface.Dns) > 0 + restrictAll := false + for _, peer := range conf.Peers { + for _, allowedip := range peer.AllowedIPs { + if allowedip.Cidr == 0 { + restrictAll = true + break + } + } + } + if restrictAll && !restrictDNS { + name, _ := tun.Name() + log.Printf("[%s] Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.", name) + } + return firewall.EnableFirewall(luid, restrictDNS, restrictAll) +} diff --git a/service/service_manager.go b/service/service_manager.go index 9d60b57c..069bf459 100644 --- a/service/service_manager.go +++ b/service/service_manager.go @@ -51,8 +51,6 @@ type wtsSessionInfo struct { state wtsState } -type wellKnownSidType uint32 - //sys wtsQueryUserToken(session uint32, token *windows.Token) (err error) = wtsapi32.WTSQueryUserToken //sys wtsEnumerateSessions(handle windows.Handle, reserved uint32, version uint32, sessions **wtsSessionInfo, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW //sys wtsFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory diff --git a/service/service_tunnel.go b/service/service_tunnel.go index 419cfdbe..01e7b417 100644 --- a/service/service_tunnel.go +++ b/service/service_tunnel.go @@ -119,47 +119,45 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest, logger = &device.Logger{stdLog, stdLog, stdLog} logger.Info.Println("Starting wireguard-go version", device.WireGuardGoVersion) - logger.Debug.Println("Debug log enabled") + logger.Info.Println("Resolving DNS names") uapiConf, err := conf.ToUAPI() if err != nil { serviceError = ErrorDNSLookup return } + logger.Info.Println("Creating Wintun device") wintun, err := tun.CreateTUN(conf.Name) if err != nil { serviceError = ErrorCreateWintun return } + logger.Info.Println("Determining Wintun device name") realInterfaceName, err := wintun.Name() if err != nil { serviceError = ErrorDetermineWintunName return } conf.Name = realInterfaceName + nativeTun := wintun.(*tun.NativeTun) + + logger.Info.Println("Enabling firewall rules") + err = enableFirewall(conf, nativeTun) + if err != nil { + serviceError = ErrorFirewall + return + } + logger.Info.Println("Creating interface instance") dev = device.NewDevice(wintun, logger) - dev.Up() - logger.Info.Println("Device started") + logger.Info.Println("Setting interface configuration") uapi, err = ipc.UAPIListen(conf.Name) if err != nil { serviceError = ErrorUAPIListen return } - - go func() { - for { - conn, err := uapi.Accept() - if err != nil { - continue - } - go dev.IpcHandle(conn) - } - }() - logger.Info.Println("UAPI listener started") - ipcErr := dev.IpcSetOperation(bufio.NewReader(strings.NewReader(uapiConf))) if ipcErr != nil { err = ipcErr @@ -167,21 +165,36 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest, return } - nativeTun := wintun.(*tun.NativeTun) + logger.Info.Println("Bringing peers up") + dev.Up() + logger.Info.Println("Monitoring default routes") routeChangeCallback, err = monitorDefaultRoutes(dev, conf.Interface.Mtu == 0, nativeTun) if err != nil { serviceError = ErrorBindSocketsToDefaultRoutes return } + logger.Info.Println("Setting device address") err = configureInterface(conf, nativeTun) if err != nil { serviceError = ErrorSetNetConfig return } + logger.Info.Println("Listening for UAPI requests") + go func() { + for { + conn, err := uapi.Accept() + if err != nil { + continue + } + go dev.IpcHandle(conn) + } + }() + changes <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop} + logger.Info.Println("Startup complete") for { select { |