Feat: OPENVPN_INTERFACE defaulting to tun0

- Fix: custom config with custom network interface name for firewall
- Keep VPN tunnel interface in firewall state
- Vul fix: only allow traffic through vpn interface when needed
- Adapt code to adapt to network interface name
- Remove outdated TUN and TAP constants

internal/openvpn/custom/custom.go

@@ -14,18 +14,22 @@ var (
 )
 
 func BuildConfig(settings configuration.OpenVPN) (
-	lines []string, connection models.Connection, err error) {
+	lines []string, connection models.Connection, intf string, err error) {
 	lines, err = readCustomConfigLines(settings.Config)
 	if err != nil {
-		return nil, connection, fmt.Errorf("%w: %s", ErrReadCustomConfig, err)
+		return nil, connection, "", fmt.Errorf("%w: %s", ErrReadCustomConfig, err)
 	}
 
-	connection, err = extractConnectionFromLines(lines)
+	connection, intf, err = extractDataFromLines(lines)
 	if err != nil {
-		return nil, connection, fmt.Errorf("%w: %s", ErrExtractConnection, err)
+		return nil, connection, "", fmt.Errorf("%w: %s", ErrExtractConnection, err)
 	}
 
-	lines = modifyCustomConfig(lines, settings, connection)
+	if intf == "" {
+		intf = settings.Interface
+	}
 
-	return lines, connection, nil
+	lines = modifyCustomConfig(lines, settings, connection, intf)
+
+	return lines, connection, intf, nil
 }

internal/openvpn/custom/custom_test.go

@@ -27,18 +27,20 @@ func Test_BuildConfig(t *testing.T) {
 	require.NoError(t, err)
 
 	settings := configuration.OpenVPN{
-		Cipher: "cipher",
-		MSSFix: 999,
-		Config: file.Name(),
+		Cipher:    "cipher",
+		MSSFix:    999,
+		Config:    file.Name(),
+		Interface: "tun",
 	}
 
-	lines, connection, err := BuildConfig(settings)
+	lines, connection, intf, err := BuildConfig(settings)
 	assert.NoError(t, err)
 
 	expectedLines := []string{
 		"keep me",
 		"proto udp",
 		"remote 1.9.8.7 1194",
+		"dev tun",
 		"mute-replay-warnings",
 		"auth-nocache",
 		"pull-filter ignore \"auth-token\"",
@@ -60,4 +62,6 @@ func Test_BuildConfig(t *testing.T) {
 		Protocol: constants.UDP,
 	}
 	assert.Equal(t, expectedConnection, connection)
+
+	assert.Equal(t, "tun", intf)
 }

internal/openvpn/custom/extract.go

@@ -15,23 +15,24 @@ var (
 	errRemoteLineNotFound = errors.New("remote line not found")
 )
 
-// extractConnectionFromLines always takes the first remote line only.
-func extractConnectionFromLines(lines []string) (
-	connection models.Connection, err error) {
+func extractDataFromLines(lines []string) (
+	connection models.Connection, intf string, err error) {
 	for i, line := range lines {
-		newConnectionData, err := extractConnectionFromLine(line)
+		ip, port, protocol, intfFound, err := extractDataFromLine(line)
 		if err != nil {
-			return connection, fmt.Errorf("on line %d: %w", i+1, err)
+			return connection, "", fmt.Errorf("on line %d: %w", i+1, err)
 		}
-		connection.UpdateEmptyWith(newConnectionData)
 
-		if connection.Protocol != "" && connection.IP != nil {
+		intf = intfFound
+		connection.UpdateEmptyWith(ip, port, protocol)
+
+		if connection.Protocol != "" && connection.IP != nil && intf != "" {
 			break
 		}
 	}
 
 	if connection.IP == nil {
-		return connection, errRemoteLineNotFound
+		return connection, "", errRemoteLineNotFound
 	}
 
 	if connection.Protocol == "" {
@@ -45,32 +46,41 @@ func extractConnectionFromLines(lines []string) (
 		}
 	}
 
-	return connection, nil
+	return connection, intf, nil
 }
 
 var (
 	errExtractProto  = errors.New("failed extracting protocol from proto line")
-	errExtractRemote = errors.New("failed extracting protocol from remote line")
+	errExtractRemote = errors.New("failed extracting from remote line")
+	errExtractDev    = errors.New("failed extracting network interface from dev line")
 )
 
-func extractConnectionFromLine(line string) (
-	connection models.Connection, err error) {
+func extractDataFromLine(line string) (
+	ip net.IP, port uint16, protocol, intf string, err error) {
 	switch {
 	case strings.HasPrefix(line, "proto "):
-		connection.Protocol, err = extractProto(line)
+		protocol, err = extractProto(line)
 		if err != nil {
-			return connection, fmt.Errorf("%w: %s", errExtractProto, err)
+			return nil, 0, "", "", fmt.Errorf("%w: %s", errExtractProto, err)
 		}
+		return nil, 0, protocol, "", nil
 
-	// only take the first remote line
-	case strings.HasPrefix(line, "remote ") && connection.IP == nil:
-		connection.IP, connection.Port, connection.Protocol, err = extractRemote(line)
+	case strings.HasPrefix(line, "remote "):
+		ip, port, protocol, err = extractRemote(line)
 		if err != nil {
-			return connection, fmt.Errorf("%w: %s", errExtractRemote, err)
+			return nil, 0, "", "", fmt.Errorf("%w: %s", errExtractRemote, err)
 		}
+		return ip, port, protocol, "", nil
+
+	case strings.HasPrefix(line, "dev "):
+		intf, err = extractInterfaceFromLine(line)
+		if err != nil {
+			return nil, 0, "", "", fmt.Errorf("%w: %s", errExtractDev, err)
+		}
+		return nil, 0, "", intf, nil
 	}
 
-	return connection, nil
+	return nil, 0, "", "", nil
 }
 
 var (
@@ -137,3 +147,16 @@ func extractRemote(line string) (ip net.IP, port uint16,
 
 	return ip, port, protocol, nil
 }
+
+var (
+	errDevLineFieldsCount = errors.New("dev line has not 2 fields as expected")
+)
+
+func extractInterfaceFromLine(line string) (intf string, err error) {
+	fields := strings.Fields(line)
+	if len(fields) != 2 { //nolint:gomnd
+		return "", fmt.Errorf("%w: %s", errDevLineFieldsCount, line)
+	}
+
+	return fields[1], nil
+}

internal/openvpn/custom/extract_test.go

@@ -11,21 +11,23 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func Test_extractConnectionFromLines(t *testing.T) {
+func Test_extractDataFromLines(t *testing.T) {
 	t.Parallel()
 
 	testCases := map[string]struct {
 		lines      []string
 		connection models.Connection
+		intf       string
 		err        error
 	}{
 		"success": {
-			lines: []string{"bla bla", "proto tcp", "remote 1.2.3.4 1194 tcp"},
+			lines: []string{"bla bla", "proto tcp", "remote 1.2.3.4 1194 tcp", "dev tun6"},
 			connection: models.Connection{
 				IP:       net.IPv4(1, 2, 3, 4),
 				Port:     1194,
 				Protocol: constants.TCP,
 			},
+			intf: "tun6",
 		},
 		"extraction error": {
 			lines: []string{"bla bla", "proto bad", "remote 1.2.3.4 1194 tcp"},
@@ -69,7 +71,7 @@ func Test_extractConnectionFromLines(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			connection, err := extractConnectionFromLines(testCase.lines)
+			connection, intf, err := extractDataFromLines(testCase.lines)
 
 			if testCase.err != nil {
 				require.Error(t, err)
@@ -79,17 +81,21 @@ func Test_extractConnectionFromLines(t *testing.T) {
 			}
 
 			assert.Equal(t, testCase.connection, connection)
+			assert.Equal(t, testCase.intf, intf)
 		})
 	}
 }
 
-func Test_extractConnectionFromLine(t *testing.T) {
+func Test_extractDataFromLine(t *testing.T) {
 	t.Parallel()
 
 	testCases := map[string]struct {
-		line       string
-		connection models.Connection
-		isErr      error
+		line     string
+		ip       net.IP
+		port     uint16
+		protocol string
+		intf     string
+		isErr    error
 	}{
 		"irrelevant line": {
 			line: "bla bla",
@@ -99,22 +105,26 @@ func Test_extractConnectionFromLine(t *testing.T) {
 			isErr: errExtractProto,
 		},
 		"extract proto success": {
-			line: "proto tcp",
-			connection: models.Connection{
-				Protocol: constants.TCP,
-			},
+			line:     "proto tcp",
+			protocol: constants.TCP,
+		},
+		"extract intf error": {
+			line:  "dev ",
+			isErr: errExtractDev,
+		},
+		"extract intf success": {
+			line: "dev tun3",
+			intf: "tun3",
 		},
 		"extract remote error": {
 			line:  "remote bad",
 			isErr: errExtractRemote,
 		},
 		"extract remote success": {
-			line: "remote 1.2.3.4 1194 udp",
-			connection: models.Connection{
-				IP:       net.IPv4(1, 2, 3, 4),
-				Port:     1194,
-				Protocol: constants.UDP,
-			},
+			line:     "remote 1.2.3.4 1194 udp",
+			ip:       net.IPv4(1, 2, 3, 4),
+			port:     1194,
+			protocol: constants.UDP,
 		},
 	}
 
@@ -123,7 +133,7 @@ func Test_extractConnectionFromLine(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			connection, err := extractConnectionFromLine(testCase.line)
+			ip, port, protocol, intf, err := extractDataFromLine(testCase.line)
 
 			if testCase.isErr != nil {
 				assert.ErrorIs(t, err, testCase.isErr)
@@ -131,7 +141,10 @@ func Test_extractConnectionFromLine(t *testing.T) {
 				assert.NoError(t, err)
 			}
 
-			assert.Equal(t, testCase.connection, connection)
+			assert.Equal(t, testCase.ip, ip)
+			assert.Equal(t, testCase.port, port)
+			assert.Equal(t, testCase.protocol, protocol)
+			assert.Equal(t, testCase.intf, intf)
 		})
 	}
 }
@@ -260,3 +273,44 @@ func Test_extractRemote(t *testing.T) {
 		})
 	}
 }
+
+func Test_extractInterface(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		line string
+		intf string
+		err  error
+	}{
+		"found": {
+			line: "dev tun3",
+			intf: "tun3",
+		},
+		"not enough fields": {
+			line: "dev ",
+			err:  errors.New("dev line has not 2 fields as expected: dev "),
+		},
+		"too many fields": {
+			line: "dev one two",
+			err:  errors.New("dev line has not 2 fields as expected: dev one two"),
+		},
+	}
+
+	for name, testCase := range testCases {
+		testCase := testCase
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			intf, err := extractInterfaceFromLine(testCase.line)
+
+			if testCase.err != nil {
+				require.Error(t, err)
+				assert.Equal(t, testCase.err.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, testCase.intf, intf)
+		})
+	}
+}

internal/openvpn/custom/modify.go

@@ -11,7 +11,7 @@ import (
 )
 
 func modifyCustomConfig(lines []string, settings configuration.OpenVPN,
-	connection models.Connection) (modified []string) {
+	connection models.Connection, intf string) (modified []string) {
 	// Remove some lines
 	for _, line := range lines {
 		switch {
@@ -22,6 +22,7 @@ func modifyCustomConfig(lines []string, settings configuration.OpenVPN,
 			strings.HasPrefix(line, "user "),
 			strings.HasPrefix(line, "proto "),
 			strings.HasPrefix(line, "remote "),
+			strings.HasPrefix(line, "dev "),
 			settings.Cipher != "" && strings.HasPrefix(line, "cipher "),
 			settings.Cipher != "" && strings.HasPrefix(line, "data-ciphers "),
 			settings.Auth != "" && strings.HasPrefix(line, "auth "),
@@ -35,6 +36,7 @@ func modifyCustomConfig(lines []string, settings configuration.OpenVPN,
 	// Add values
 	modified = append(modified, connection.OpenVPNProtoLine())
 	modified = append(modified, connection.OpenVPNRemoteLine())
+	modified = append(modified, "dev "+intf)
 	modified = append(modified, "mute-replay-warnings")
 	modified = append(modified, "auth-nocache")
 	modified = append(modified, "pull-filter ignore \"auth-token\"") // prevent auth failed loop

internal/openvpn/custom/modify_test.go

@@ -17,6 +17,7 @@ func Test_modifyCustomConfig(t *testing.T) {
 		lines      []string
 		settings   configuration.OpenVPN
 		connection models.Connection
+		intf       string
 		modified   []string
 	}{
 		"mixed": {
@@ -41,10 +42,12 @@ func Test_modifyCustomConfig(t *testing.T) {
 				Port:     1194,
 				Protocol: constants.UDP,
 			},
+			intf: "tun3",
 			modified: []string{
 				"keep me here",
 				"proto udp",
 				"remote 1.2.3.4 1194",
+				"dev tun3",
 				"mute-replay-warnings",
 				"auth-nocache",
 				"pull-filter ignore \"auth-token\"",
@@ -69,7 +72,7 @@ func Test_modifyCustomConfig(t *testing.T) {
 			t.Parallel()
 
 			modified := modifyCustomConfig(testCase.lines,
-				testCase.settings, testCase.connection)
+				testCase.settings, testCase.connection, testCase.intf)
 
 			assert.Equal(t, testCase.modified, modified)
 		})