Feat: OPENVPN_INTERFACE defaulting to tun0

- Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants
2021-08-19 23:22:55 +00:00
parent 7191d4e911
commit bec8ff27ae
20 changed files with 219 additions and 89 deletions
--- a/internal/firewall/vpn.go
+++ b/internal/firewall/vpn.go
@@ -8,10 +8,12 @@ import (
 )

 type VPNConnectionSetter interface {
-	SetVPNConnection(ctx context.Context, connection models.Connection) error
+	SetVPNConnection(ctx context.Context,
+		connection models.Connection, vpnIntf string) error
 }

-func (c *Config) SetVPNConnection(ctx context.Context, connection models.Connection) (err error) {
+func (c *Config) SetVPNConnection(ctx context.Context,
+	connection models.Connection, vpnIntf string) (err error) {
 	c.stateMutex.Lock()
 	defer c.stateMutex.Unlock()

@@ -34,10 +36,25 @@ func (c *Config) SetVPNConnection(ctx context.Context, connection models.Connect
 		}
 	}
 	c.vpnConnection = models.Connection{}
+
+	if c.vpnIntf != "" {
+		if err = c.acceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {
+			c.logger.Error("cannot remove outdated VPN interface from firewall: " + err.Error())
+		}
+	}
+	c.vpnIntf = ""
+
 	remove = false
+
 	if err := c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, connection, remove); err != nil {
 		return fmt.Errorf("cannot set VPN connection through firewall: %w", err)
 	}
 	c.vpnConnection = connection
+
+	if err = c.acceptOutputThroughInterface(ctx, vpnIntf, remove); err != nil {
+		return fmt.Errorf("cannot accept output traffic through interface %s: %w", vpnIntf, err)
+	}
+	c.vpnIntf = vpnIntf
+
 	return nil
 }