service: wire up firewall

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 25 insertions, 0 deletions

diff --git a/service/ifaceconfig.go b/service/ifaceconfig.go
index d1f8f2d1..6f2320cf 100644
--- a/service/ifaceconfig.go
+++ b/service/ifaceconfig.go
@@ -12,6 +12,8 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/conf"
+	"golang.zx2c4.com/wireguard/windows/service/firewall"
+	"log"
 	"net"
 	"sort"
 )
@@ -264,3 +266,26 @@ func configureInterface(conf *conf.Config, tun *tun.NativeTun) error {
 
 	return nil
 }
+
+func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
+	guid := tun.GUID()
+	luid, err := winipcfg.InterfaceGuidToLuid(&guid)
+	if err != nil {
+		return err
+	}
+	restrictDNS := len(conf.Interface.Dns) > 0
+	restrictAll := false
+	for _, peer := range conf.Peers {
+		for _, allowedip := range peer.AllowedIPs {
+			if allowedip.Cidr == 0 {
+				restrictAll = true
+				break
+			}
+		}
+	}
+	if restrictAll && !restrictDNS {
+		name, _ := tun.Name()
+		log.Printf("[%s] Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.", name)
+	}
+	return firewall.EnableFirewall(luid, restrictDNS, restrictAll)
+}