git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 17 Sep 2016 04:10:38 +0000 (00:10 -0400)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 13 Nov 2016 17:02:42 +0000 (18:02 +0100)
commit	fc30dc5f20d455242ed8489fb1a99446287ba9cb
tree	fcd0637a38fe627a3471bb7cb7e73edcf5ee444c	tree
parent	dd6714ae0a47a9401898ccc0dd7079f58ba29901	commit \| diff

Support --block-outside-dns on multiple tunnels

v2: Simplify the "add sublayer" code.

Currently each instance of openvpn adds WFP filters into an independent
sublayer. As a block in one sublayer can over-ride a permit in another,
this causes all DNS traffic to block when --block-outside-dns is used
in multiple tunnels.

Fix using a common sublayer for adding firewall rules (filters) from all
instances of openvpn and interactive service.
- The sublayer is added in a persistent session so that it could be
  accessed from multiple sessions.
- The sublayer is identified by a fixed UUID defined in block_dns.c
  shared between openvpn.exe and openvpnserv.exe.
- Permit filters for tun/tap interfaces are added with higher priority
  than filters that block all DNS traffic. This is not strictly
  necessary as WFP assigns higher priority to specific filters over generic
  ones, but it may be safer not to rely on that feature.
- All filters are added in dynamic sessions as before. They get
  automatically removed when the process exits. The sublayer will,
  however, persist until reboot.

Resolves Trac 718
Tested on Windows 7, 10 with/without interactive service

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474085439-28766-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12465.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>