internal/firewall/vpn.go

package firewall

import (
	"context"
	"fmt"

	"github.com/qdm12/gluetun/internal/models"
)

type VPNConnectionSetter interface {
	SetVPNConnection(ctx context.Context,
		connection models.Connection, vpnIntf string) error
}

func (c *Config) SetVPNConnection(ctx context.Context,
	connection models.Connection, vpnIntf string) (err error) {
	c.stateMutex.Lock()
	defer c.stateMutex.Unlock()

	if !c.enabled {
		c.logger.Info("firewall disabled, only updating internal VPN connection")
		c.vpnConnection = connection
		return nil
	}

	c.logger.Info("allowing VPN connection...")

	if c.vpnConnection.Equal(connection) {
		return nil
	}

	remove := true
	if c.vpnConnection.IP != nil {
		if err := c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, c.vpnConnection, remove); err != nil {
			c.logger.Error("cannot remove outdated VPN connection rule: " + err.Error())
		}
	}
	c.vpnConnection = models.Connection{}

	if c.vpnIntf != "" {
		if err = c.acceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {
			c.logger.Error("cannot remove outdated VPN interface rule: " + err.Error())
		}
	}
	c.vpnIntf = ""

	remove = false

	if err := c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, connection, remove); err != nil {
		return fmt.Errorf("cannot allow output traffic through VPN connection: %w", err)
	}
	c.vpnConnection = connection

	if err = c.acceptOutputThroughInterface(ctx, vpnIntf, remove); err != nil {
		return fmt.Errorf("cannot accept output traffic through interface %s: %w", vpnIntf, err)
	}
	c.vpnIntf = vpnIntf

	return nil
}
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`package firewall`

			`import (`
			`"context"`
			`"fmt"`

Rename repo to Gluetun, refers to #112 2020-07-26 12:07:06 +00:00			`"github.com/qdm12/gluetun/internal/models"`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`)`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`type VPNConnectionSetter interface {`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00			`SetVPNConnection(ctx context.Context,`
			`connection models.Connection, vpnIntf string) error`
Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`}`

Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00			`func (c *Config) SetVPNConnection(ctx context.Context,`
			`connection models.Connection, vpnIntf string) (err error) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`c.stateMutex.Lock()`
			`defer c.stateMutex.Unlock()`

			`if !c.enabled {`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`c.logger.Info("firewall disabled, only updating internal VPN connection")`
			`c.vpnConnection = connection`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`

chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`c.logger.Info("allowing VPN connection...")`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`if c.vpnConnection.Equal(connection) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`remove := true`
			`if c.vpnConnection.IP != nil {`
			`if err := c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, c.vpnConnection, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`c.logger.Error("cannot remove outdated VPN connection rule: " + err.Error())`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`}`
Maint: make VPN connection not specific to OpenVPN - Add VPN field to ServerSelection struct - Set VPN type to server selection at start using VPN_TYPE - Change OpenVPNConnection to Connection with Type field - Rename Provider GetOpenVPNConnection to GetConnection - Rename GetTargetIPOpenVPNConnection to GetTargetIPConnection - Rename PickRandomOpenVPNConnection to PickRandomConnection - Add 'OpenVPN' prefix to OpenVPN specific methods on connection 2021-08-19 14:09:41 +00:00			`c.vpnConnection = models.Connection{}`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00
			`if c.vpnIntf != "" {`
			`if err = c.acceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`c.logger.Error("cannot remove outdated VPN interface rule: " + err.Error())`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00			`}`
			`}`
			`c.vpnIntf = ""`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`remove = false`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`if err := c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, connection, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return fmt.Errorf("cannot allow output traffic through VPN connection: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`c.vpnConnection = connection`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00
			`if err = c.acceptOutputThroughInterface(ctx, vpnIntf, remove); err != nil {`
			`return fmt.Errorf("cannot accept output traffic through interface %s: %w", vpnIntf, err)`
			`}`
			`c.vpnIntf = vpnIntf`

Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`