summaryrefslogtreecommitdiffhomepage
path: root/windows
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2024-09-18 11:03:02 +0200
committerDavid Lönnhager <david.l@mullvad.net>2024-09-18 11:03:02 +0200
commit5ff831f597c1361effbca3749df056329cbb2f84 (patch)
tree5d3d8e9ecb7101759957c1f702c1a59d5f426a7a /windows
parentcdef6650f38dba21052f1c6e0d5e9e2ebadf0d97 (diff)
parentbeb063780d6f3a261e40ac7940c61c937e2b951d (diff)
downloadmullvadvpn-5ff831f597c1361effbca3749df056329cbb2f84.tar.xz
mullvadvpn-5ff831f597c1361effbca3749df056329cbb2f84.zip
Merge branch 'refactor-tunnel-dns-config'
Diffstat (limited to 'windows')
-rw-r--r--windows/winfw/src/winfw/winfw.cpp88
-rw-r--r--windows/winfw/src/winfw/winfw.h14
2 files changed, 29 insertions, 73 deletions
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index 3d56eb6620..c862de4b5a 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -47,23 +47,6 @@ std::optional<T> MakeOptional(T* object)
return std::make_optional(*object);
}
-//
-// Networks for which DNS requests can be made on all network adapters.
-//
-// This should be synchronized with `ALLOWED_LAN_NETS` in talpid-types,
-// but it also includes loopback addresses.
-//
-wfp::IpNetwork g_privateIpRanges[] = {
- wfp::IpNetwork(wfp::IpAddress::Literal{127, 0, 0, 0}, 8),
- wfp::IpNetwork(wfp::IpAddress::Literal{10, 0, 0, 0}, 8),
- wfp::IpNetwork(wfp::IpAddress::Literal{172, 16, 0, 0}, 12),
- wfp::IpNetwork(wfp::IpAddress::Literal{192, 168, 0, 0}, 16),
- wfp::IpNetwork(wfp::IpAddress::Literal{169, 254, 0, 0}, 16),
- wfp::IpNetwork(wfp::IpAddress::Literal6{0, 0, 0, 0, 0, 0, 0, 1}, 128),
- wfp::IpNetwork(wfp::IpAddress::Literal6{0xfe80, 0, 0, 0, 0, 0, 0, 0}, 10),
- wfp::IpNetwork(wfp::IpAddress::Literal6{0xfc80, 0, 0, 0, 0, 0, 0, 0}, 7)
-};
-
} // anonymous namespace
WINFW_LINKAGE
@@ -303,10 +286,10 @@ WinFw_ApplyPolicyConnected(
const wchar_t **relayClients,
size_t relayClientsLen,
const wchar_t *tunnelInterfaceAlias,
- const wchar_t *v4Gateway,
- const wchar_t *v6Gateway,
- const wchar_t * const *dnsServers,
- size_t numDnsServers
+ const wchar_t * const *tunnelDnsServers,
+ size_t numTunnelDnsServers,
+ const wchar_t * const *nonTunnelDnsServers,
+ size_t numNonTunnelDnsServers
)
{
if (nullptr == g_fwContext)
@@ -331,76 +314,51 @@ WinFw_ApplyPolicyConnected(
THROW_ERROR("Invalid argument: tunnelInterfaceAlias");
}
- if (nullptr == v4Gateway)
+ if (nullptr == tunnelDnsServers)
{
- THROW_ERROR("Invalid argument: v4Gateway");
+ THROW_ERROR("Invalid argument: tunnelDnsServers");
}
- if (nullptr == dnsServers)
+ if (nullptr == nonTunnelDnsServers)
{
- THROW_ERROR("Invalid argument: dnsServers");
+ THROW_ERROR("Invalid argument: nonTunnelDnsServers");
}
- std::vector<wfp::IpAddress> tunnelDnsServers;
- std::vector<wfp::IpAddress> nonTunnelDnsServers;
-
- const auto v4GatewayIp = wfp::IpAddress(v4Gateway);
- const auto v6GatewayIp = (nullptr != v6Gateway)
- ? std::make_optional(wfp::IpAddress(v6Gateway))
- : std::nullopt;
+ std::vector<wfp::IpAddress> convertedTunnelDnsServers;
+ std::vector<wfp::IpAddress> convertedNonTunnelDnsServers;
- const auto addToDnsCollection = [&](const std::optional<wfp::IpAddress> &gatewayIp, wfp::IpAddress &&ip)
+ for (size_t i = 0; i < numTunnelDnsServers; i++)
{
- if (gatewayIp.has_value() && *gatewayIp == ip)
- {
- // Requests to the gateway IP of the tunnel are only allowed on the tunnel interface.
- tunnelDnsServers.emplace_back(ip);
- return;
- }
-
- for (const auto &network : g_privateIpRanges)
- {
- if (network.includes(ip))
- {
- //
- // Resolvers on the LAN must be accessible outside the tunnel.
- //
-
- nonTunnelDnsServers.emplace_back(ip);
- return;
- }
- }
-
- tunnelDnsServers.emplace_back(ip);
- };
-
- for (size_t i = 0; i < numDnsServers; i++)
+ auto ip = wfp::IpAddress(tunnelDnsServers[i]);
+ convertedTunnelDnsServers.push_back(ip);
+ }
+ for (size_t i = 0; i < numNonTunnelDnsServers; i++)
{
- auto ip = wfp::IpAddress(dnsServers[i]);
- addToDnsCollection(ip.type() == wfp::IpAddress::Type::Ipv4 ? v4GatewayIp : v6GatewayIp, std::move(ip));
+ auto ip = wfp::IpAddress(nonTunnelDnsServers[i]);
+ convertedNonTunnelDnsServers.push_back(ip);
}
if (nullptr != g_logSink)
{
std::stringstream ss;
ss << "Non-tunnel DNS servers: ";
- for (size_t i = 0; i < nonTunnelDnsServers.size(); i++) {
+ for (size_t i = 0; i < convertedNonTunnelDnsServers.size(); i++) {
if (i > 0)
{
ss << ", ";
}
- ss << common::string::ToAnsi(nonTunnelDnsServers[i].toString());
+ ss << common::string::ToAnsi(convertedNonTunnelDnsServers[i].toString());
}
g_logSink(MULLVAD_LOG_LEVEL_DEBUG, ss.str().c_str(), g_logSinkContext);
ss.str(std::string());
ss << "Tunnel DNS servers: ";
- for (size_t i = 0; i < tunnelDnsServers.size(); i++) {
+ for (size_t i = 0; i < convertedTunnelDnsServers.size(); i++) {
if (i > 0)
{
ss << ", ";
}
- ss << common::string::ToAnsi(tunnelDnsServers[i].toString());
+ ss << common::string::ToAnsi(convertedTunnelDnsServers[i].toString());
}
g_logSink(MULLVAD_LOG_LEVEL_DEBUG, ss.str().c_str(), g_logSinkContext);
}
@@ -416,8 +374,8 @@ WinFw_ApplyPolicyConnected(
*relay,
relayClientWstrings,
tunnelInterfaceAlias,
- tunnelDnsServers,
- nonTunnelDnsServers
+ convertedTunnelDnsServers,
+ convertedNonTunnelDnsServers
) ? WINFW_POLICY_STATUS_SUCCESS : WINFW_POLICY_STATUS_GENERAL_FAILURE;
}
catch (common::error::WindowsException &err)
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index b786d943d3..ab2a136ceb 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -178,15 +178,13 @@ WinFw_ApplyPolicyConnecting(
// - What is specified by settings
// - Communication with the relay server
// - Non-DNS traffic inside the VPN tunnel
-// - DNS requests inside the VPN tunnel to any specified remote DNS server
-// - DNS requests outside the VPN tunnel to any specified local DNS servers
+// - DNS requests inside the VPN tunnel to any server in 'tunnelDnsServers'
+// - DNS requests outside the VPN tunnel to any server in 'nonTunnelDnsServers'
//
// Parameters:
//
// tunnelInterfaceAlias:
// Friendly name of VPN tunnel interface
-// dnsServers:
-// Array of string-encoded IP addresses of DNS servers to use
//
extern "C"
WINFW_LINKAGE
@@ -198,10 +196,10 @@ WinFw_ApplyPolicyConnected(
const wchar_t **relayClient,
size_t relayClientLen,
const wchar_t *tunnelInterfaceAlias,
- const wchar_t *v4Gateway,
- const wchar_t *v6Gateway,
- const wchar_t * const *dnsServers,
- size_t numDnsServers
+ const wchar_t * const *tunnelDnsServers,
+ size_t numTunnelDnsServers,
+ const wchar_t * const *nonTunnelDnsServers,
+ size_t numNonTunnelDnsServers
);
//