diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-09-17 16:32:41 +0200 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2024-09-18 13:49:12 +0200 |
| commit | 0264abaf2801709bb9e78e533b8873a0ee3ae6dd (patch) | |
| tree | c1663932f2fea79df9a4d4783edc3460abd53333 | |
| parent | 7e7a21838c53ede1c7a0c6f3e9c06f6cb50870b7 (diff) | |
| download | mullvadvpn-0264abaf2801709bb9e78e533b8873a0ee3ae6dd.tar.xz mullvadvpn-0264abaf2801709bb9e78e533b8873a0ee3ae6dd.zip | |
Fix bug where allowed ips would not be patched if DAITA was enabled
| -rw-r--r-- | talpid-wireguard/src/lib.rs | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/talpid-wireguard/src/lib.rs b/talpid-wireguard/src/lib.rs index 634c265f9c..0c918e1fc7 100644 --- a/talpid-wireguard/src/lib.rs +++ b/talpid-wireguard/src/lib.rs @@ -488,15 +488,17 @@ impl WireguardMonitor { log_path: Option<&Path>, args: TunnelArgs<'_, F>, ) -> Result<WireguardMonitor> { + let should_negotiate_ephemeral_peer = config.quantum_resistant || config.daita; let tunnel = Self::open_tunnel( args.runtime.clone(), &config, log_path, args.resource_dir, args.tun_provider.clone(), - // TODO: This seems like a bug! Should `config.quantum_resistant` really be the - // argument for `gateway_only` parameter? - config.quantum_resistant, + // In case we should negotiate an ephemeral peer, we should specify via AllowedIPs + // that we only allows traffic to/from the gateway. This is only needed on Android + // since we lack a firewall there. + should_negotiate_ephemeral_peer, )?; let (close_obfs_sender, close_obfs_listener) = sync_mpsc::channel(); @@ -578,7 +580,7 @@ impl WireguardMonitor { } }; - if config.quantum_resistant || config.daita { + if should_negotiate_ephemeral_peer { // Ping before negotiating the ephemeral peer to make sure that the tunnel works. tokio::task::spawn_blocking(ping()).await.unwrap()?; let ephemeral_obfs_sender = close_obfs_sender.clone(); |