tunnel: only enable DNS blocking for 0/0 configs

This lets people use split tunnel DNS for the more common case. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2020-11-19 18:23:00 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2020-11-22 22:00:32 +0100
commit: 06447c39fad2398e4c35c56acc5e66cc1e581f65 (patch)
tree: bd9d332f9d114ce2ae8f147b637c4900438aa547 /tunnel
parent: installer: remove admin knobs in cleanup (diff)
download: wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.tar.xz
wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.zip
3 files changed, 28 insertions, 39 deletions
diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go
index 6aba9ce8..c293df1b 100644
--- a/tunnel/addressconfig.go
+++ b/tunnel/addressconfig.go
@@ -180,7 +180,6 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t
 }
 
 func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
-	restrictAll := false
 	if len(conf.Peers) == 1 {
 	nextallowedip:
 		for _, allowedip := range conf.Peers[0].AllowedIPs {
@@ -190,13 +189,10 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
 						continue nextallowedip
 					}
 				}
-				restrictAll = true
-				break
+				log.Println("Enabling firewall rules")
+				return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS)
 			}
 		}
 	}
-	if restrictAll && len(conf.Interface.DNS) == 0 {
-		log.Println("Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.")
-	}
-	return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS, restrictAll)
+	return nil
 }
diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go
index 7da391ca..54645d24 100644
--- a/tunnel/firewall/blocker.go
+++ b/tunnel/firewall/blocker.go
@@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) {
 	return bo, nil
 }
 
-func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool) error {
+func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error {
 	if wfpSession != 0 {
 		return errors.New("The firewall has already been enabled")
 	}
@@ -129,11 +129,9 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool
 			}
 		}
 
-		if restrictAll {
-			err = permitLoopback(session, baseObjects, 13)
-			if err != nil {
-				return wrapErr(err)
-			}
+		err = permitLoopback(session, baseObjects, 13)
+		if err != nil {
+			return wrapErr(err)
 		}
 
 		err = permitTunInterface(session, baseObjects, 12, luid)
@@ -141,36 +139,32 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool
 			return wrapErr(err)
 		}
 
-		if restrictAll {
-			err = permitDHCPIPv4(session, baseObjects, 12)
-			if err != nil {
-				return wrapErr(err)
-			}
+		err = permitDHCPIPv4(session, baseObjects, 12)
+		if err != nil {
+			return wrapErr(err)
+		}
 
-			err = permitDHCPIPv6(session, baseObjects, 12)
-			if err != nil {
-				return wrapErr(err)
-			}
+		err = permitDHCPIPv6(session, baseObjects, 12)
+		if err != nil {
+			return wrapErr(err)
+		}
 
-			err = permitNdp(session, baseObjects, 12)
-			if err != nil {
-				return wrapErr(err)
-			}
+		err = permitNdp(session, baseObjects, 12)
+		if err != nil {
+			return wrapErr(err)
+		}
 
-			/* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3.
-			 *  In other words, if somebody complains, try enabling it. For now, keep it off.
-			err = permitHyperV(session, baseObjects, 12)
-			if err != nil {
-				return wrapErr(err)
-			}
-			*/
+		/* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3.
+		 *  In other words, if somebody complains, try enabling it. For now, keep it off.
+		err = permitHyperV(session, baseObjects, 12)
+		if err != nil {
+			return wrapErr(err)
 		}
+		*/
 
-		if restrictAll {
-			err = blockAll(session, baseObjects, 0)
-			if err != nil {
-				return wrapErr(err)
-			}
+		err = blockAll(session, baseObjects, 0)
+		if err != nil {
+			return wrapErr(err)
 		}
 
 		return nil
diff --git a/tunnel/service.go b/tunnel/service.go
index 8b81f56d..33b5c116 100644
--- a/tunnel/service.go
+++ b/tunnel/service.go
@@ -171,7 +171,6 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest,
 		log.Printf("Using Wintun/%d.%d", (wintunVersion>>16)&0xffff, wintunVersion&0xffff)
 	}
 
-	log.Println("Enabling firewall rules")
 	err = enableFirewall(conf, nativeTun)
 	if err != nil {
 		serviceError = services.ErrorFirewall
author	Jason A. Donenfeld <Jason@zx2c4.com>	2020-11-19 18:23:00 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2020-11-22 22:00:32 +0100
commit	06447c39fad2398e4c35c56acc5e66cc1e581f65 (patch)
tree	bd9d332f9d114ce2ae8f147b637c4900438aa547 /tunnel
parent	installer: remove admin knobs in cleanup (diff)
download	wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.tar.xz wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.zip