Feat: OPENVPN_INTERFACE defaulting to tun0

- Fix: custom config with custom network interface name for firewall
- Keep VPN tunnel interface in firewall state
- Vul fix: only allow traffic through vpn interface when needed
- Adapt code to adapt to network interface name
- Remove outdated TUN and TAP constants

internal/configuration/openvpn.go

@@ -1,7 +1,9 @@
 package configuration
 
 import (
+	"errors"
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -26,6 +28,7 @@ type OpenVPN struct {
 	EncPreset string   `json:"encryption_preset"` // PIA
 	IPv6      bool     `json:"ipv6"`              // Mullvad
 	ProcUser  string   `json:"procuser"`          // Process username
+	Interface string   `json:"interface"`
 }
 
 func (settings *OpenVPN) String() string {
@@ -39,6 +42,8 @@ func (settings *OpenVPN) lines() (lines []string) {
 
 	lines = append(lines, indent+lastIndent+"Verbosity level: "+strconv.Itoa(settings.Verbosity))
 
+	lines = append(lines, indent+lastIndent+"Network interface: "+settings.Interface)
+
 	if len(settings.Flags) > 0 {
 		lines = append(lines, indent+lastIndent+"Flags: "+strings.Join(settings.Flags, " "))
 	}
@@ -148,6 +153,11 @@ func (settings *OpenVPN) read(r reader, serviceProvider string) (err error) {
 		return fmt.Errorf("environment variable OPENVPN_IPV6: %w", err)
 	}
 
+	settings.Interface, err = readInterface(r.env)
+	if err != nil {
+		return err
+	}
+
 	settings.EncPreset, err = getPIAEncryptionPreset(r)
 	if err != nil {
 		return err
@@ -173,3 +183,22 @@ func readProtocol(env params.Env) (tcp bool, err error) {
 	}
 	return protocol == constants.TCP, nil
 }
+
+const openvpnIntfRegexString = `^.*[0-9]$`
+
+var openvpnIntfRegexp = regexp.MustCompile(openvpnIntfRegexString)
+var errInterfaceNameNotValid = errors.New("interface name is not valid")
+
+func readInterface(env params.Env) (intf string, err error) {
+	intf, err = env.Get("OPENVPN_INTERFACE", params.Default("tun0"))
+	if err != nil {
+		return "", fmt.Errorf("environment variable OPENVPN_INTERFACE: %w", err)
+	}
+
+	if !openvpnIntfRegexp.MatchString(intf) {
+		return "", fmt.Errorf("%w: does not match regex %s: %s",
+			errInterfaceNameNotValid, openvpnIntfRegexString, intf)
+	}
+
+	return intf, nil
+}

internal/configuration/openvpn_test.go

@@ -29,7 +29,8 @@ func Test_OpenVPN_JSON(t *testing.T) {
   "version": "",
   "encryption_preset": "",
   "ipv6": false,
-  "procuser": ""
+  "procuser": "",
+  "interface": ""
 }`, string(data))
 	var out OpenVPN
 	err = json.Unmarshal(data, &out)

internal/configuration/settings_test.go

@@ -22,7 +22,8 @@ func Test_Settings_lines(t *testing.T) {
 						Name: constants.Mullvad,
 					},
 					OpenVPN: OpenVPN{
-						Version: constants.Openvpn25,
+						Version:   constants.Openvpn25,
+						Interface: "tun",
 					},
 				},
 			},
@@ -33,6 +34,7 @@ func Test_Settings_lines(t *testing.T) {
 				"   |--OpenVPN:",
 				"      |--Version: 2.5",
 				"      |--Verbosity level: 0",
+				"      |--Network interface: tun",
 				"   |--Mullvad settings:",
 				"      |--OpenVPN selection:",
 				"         |--Protocol: udp",