OpenVPN
wfp_block.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * 2015-2016 <iam@valdikss.org.ru>
10 * 2016 Selva Nair <selva.nair@gmail.com>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
25#ifdef HAVE_CONFIG_H
26#include "config.h"
27#endif
28
29#include "syshead.h"
30
31#ifdef _WIN32
32
33#include <fwpmu.h>
34#include <initguid.h>
35#include <fwpmtypes.h>
36#include <winsock2.h>
37#include <ws2ipdef.h>
38#include <iphlpapi.h>
39
40#include "wfp_block.h"
41
42/*
43 * WFP-related defines and GUIDs not in mingw32
44 */
45
46#ifndef FWPM_SESSION_FLAG_DYNAMIC
47#define FWPM_SESSION_FLAG_DYNAMIC 0x00000001
48#endif
49
50/* c38d57d1-05a7-4c33-904f-7fbceee60e82 */
51DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V4, 0xc38d57d1, 0x05a7, 0x4c33, 0x90, 0x4f, 0x7f, 0xbc,
52 0xee, 0xe6, 0x0e, 0x82);
53
54/* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */
55DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V6, 0x4a72393b, 0x319f, 0x44bc, 0x84, 0xc3, 0xba, 0x54,
56 0xdc, 0xb3, 0xb6, 0xb4);
57
58/* d78e1e87-8644-4ea5-9437-d809ecefc971 */
59DEFINE_GUID(FWPM_CONDITION_ALE_APP_ID, 0xd78e1e87, 0x8644, 0x4ea5, 0x94, 0x37, 0xd8, 0x09, 0xec,
60 0xef, 0xc9, 0x71);
61
62/* c35a604d-d22b-4e1a-91b4-68f674ee674b */
63DEFINE_GUID(FWPM_CONDITION_IP_REMOTE_PORT, 0xc35a604d, 0xd22b, 0x4e1a, 0x91, 0xb4, 0x68, 0xf6, 0x74,
64 0xee, 0x67, 0x4b);
65
66/* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */
67DEFINE_GUID(FWPM_CONDITION_IP_LOCAL_INTERFACE, 0x4cd62a49, 0x59c3, 0x4969, 0xb7, 0xf3, 0xbd, 0xa5,
68 0xd3, 0x28, 0x90, 0xa4);
69
70/* 632ce23b-5167-435c-86d7-e903684aa80c */
71DEFINE_GUID(FWPM_CONDITION_FLAGS, 0x632ce23b, 0x5167, 0x435c, 0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a,
72 0xa8, 0x0c);
73
74/* UUID of WFP sublayer used by all instances of openvpn
75 * 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */
76DEFINE_GUID(OPENVPN_WFP_BLOCK_SUBLAYER, 0x2f660d7e, 0x6a37, 0x11e6, 0xa1, 0x81, 0x00, 0x1e, 0x8c,
77 0x6e, 0x04, 0xa2);
78
79static WCHAR *FIREWALL_NAME = L"OpenVPN";
80
81/*
82 * Default msg handler does nothing
83 */
84static inline void
85default_msg_handler(DWORD err, const char *msg)
86{
87 return;
88}
89
90#define OUT_ON_ERROR(err, msg) \
91 if (err) \
92 { \
93 msg_handler(err, msg); \
94 goto out; \
95 }
96
97/*
98 * Add a persistent sublayer with specified uuid.
99 */
100static DWORD
101add_sublayer(GUID uuid)
102{
103 FWPM_SESSION0 session;
104 HANDLE engine = NULL;
105 DWORD err = 0;
106 FWPM_SUBLAYER0 sublayer;
107
108 memset(&session, 0, sizeof(session));
109 memset(&sublayer, 0, sizeof(sublayer));
110
111 err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine);
112 if (err != ERROR_SUCCESS)
113 {
114 goto out;
115 }
116
117 sublayer.subLayerKey = uuid;
118 sublayer.displayData.name = FIREWALL_NAME;
119 sublayer.displayData.description = FIREWALL_NAME;
120 sublayer.flags = 0;
121 sublayer.weight = 0x100;
122
123 /* Add sublayer to the session */
124 err = FwpmSubLayerAdd0(engine, &sublayer, NULL);
125
126out:
127 if (engine)
128 {
129 FwpmEngineClose0(engine);
130 }
131 return err;
132}
133
134/*
135 * Block outgoing local traffic, possibly DNS only, except for
136 * (i) adapter with the specified index (and loopback, if all is blocked)
137 * OR
138 * (ii) processes with the specified executable path
139 * The firewall filters added here are automatically removed when the process exits or
140 * on calling delete_wfp_block_filters().
141 * Arguments:
142 * engine_handle : On successful return contains the handle for a newly opened fwp session
143 * in which the filters are added.
144 * May be closed by passing to delete_wfp_block_filters to remove the filters.
145 * index : The index of adapter for which traffic is permitted.
146 * exe_path : Path of executable for which traffic is permitted.
147 * msg_handler : An optional callback function for error reporting.
148 * dns_only : Whether the blocking filters should apply for DNS only.
149 * Returns 0 on success, a non-zero status code of the last failed action on failure.
150 */
151
152DWORD
153add_wfp_block_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path,
154 wfp_block_msg_handler_t msg_handler, BOOL dns_only)
155{
156 FWPM_SESSION0 session = { 0 };
157 FWPM_SUBLAYER0 *sublayer_ptr = NULL;
158 NET_LUID itf_luid;
159 UINT64 filterid;
160 FWP_BYTE_BLOB *openvpnblob = NULL;
161 FWPM_FILTER0 Filter = { 0 };
162 FWPM_FILTER_CONDITION0 Condition[2];
163 FWPM_FILTER_CONDITION0 match_openvpn = { 0 };
164 FWPM_FILTER_CONDITION0 match_port_53 = { 0 };
165 FWPM_FILTER_CONDITION0 match_interface = { 0 };
166 FWPM_FILTER_CONDITION0 match_loopback = { 0 };
167 FWPM_FILTER_CONDITION0 match_not_loopback = { 0 };
168 DWORD err = 0;
169
170 if (!msg_handler)
171 {
172 msg_handler = default_msg_handler;
173 }
174
175 /* Add temporary filters which don't survive reboots or crashes. */
176 session.flags = FWPM_SESSION_FLAG_DYNAMIC;
177
178 *engine_handle = NULL;
179
180 err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle);
181 OUT_ON_ERROR(err, "FwpEngineOpen: open fwp session failed");
182 msg_handler(0, "WFP Block: WFP engine opened");
183
184 /* Check sublayer exists and add one if it does not. */
185 if (FwpmSubLayerGetByKey0(*engine_handle, &OPENVPN_WFP_BLOCK_SUBLAYER, &sublayer_ptr)
186 == ERROR_SUCCESS)
187 {
188 msg_handler(0, "WFP Block: Using existing sublayer");
189 FwpmFreeMemory0((void **)&sublayer_ptr);
190 }
191 else
192 { /* Add a new sublayer -- as another process may add it in the meantime,
193 * do not treat "already exists" as an error */
194 err = add_sublayer(OPENVPN_WFP_BLOCK_SUBLAYER);
195
196 if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS)
197 {
198 msg_handler(0, "WFP Block: Added a persistent sublayer with pre-defined UUID");
199 }
200 else
201 {
202 OUT_ON_ERROR(err, "add_sublayer: failed to add persistent sublayer");
203 }
204 }
205
206 err = ConvertInterfaceIndexToLuid(index, &itf_luid);
207 OUT_ON_ERROR(err, "Convert interface index to luid failed");
208
209 err = FwpmGetAppIdFromFileName0(exe_path, &openvpnblob);
210 OUT_ON_ERROR(err, "Get byte blob for openvpn executable name failed");
211
212 /* Prepare match conditions */
213 match_openvpn.fieldKey = FWPM_CONDITION_ALE_APP_ID;
214 match_openvpn.matchType = FWP_MATCH_EQUAL;
215 match_openvpn.conditionValue.type = FWP_BYTE_BLOB_TYPE;
216 match_openvpn.conditionValue.byteBlob = openvpnblob;
217
218 match_port_53.fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
219 match_port_53.matchType = FWP_MATCH_EQUAL;
220 match_port_53.conditionValue.type = FWP_UINT16;
221 match_port_53.conditionValue.uint16 = 53;
222
223 match_interface.fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
224 match_interface.matchType = FWP_MATCH_EQUAL;
225 match_interface.conditionValue.type = FWP_UINT64;
226 match_interface.conditionValue.uint64 = &itf_luid.Value;
227
228 match_loopback.fieldKey = FWPM_CONDITION_FLAGS;
229 match_loopback.matchType = FWP_MATCH_FLAGS_ALL_SET;
230 match_loopback.conditionValue.type = FWP_UINT32;
231 match_loopback.conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
232
233 match_not_loopback.fieldKey = FWPM_CONDITION_FLAGS;
234 match_not_loopback.matchType = FWP_MATCH_FLAGS_NONE_SET;
235 match_not_loopback.conditionValue.type = FWP_UINT32;
236 match_not_loopback.conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
237
238 /* Prepare filter. */
239 Filter.subLayerKey = OPENVPN_WFP_BLOCK_SUBLAYER;
240 Filter.displayData.name = FIREWALL_NAME;
241 Filter.weight.type = FWP_UINT8;
242 Filter.weight.uint8 = 0xF;
243 Filter.filterCondition = Condition;
244 Filter.numFilterConditions = 1;
245
246 /* First filter. Permit IPv4 from OpenVPN itself. */
247 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
248 Filter.action.type = FWP_ACTION_PERMIT;
249 Condition[0] = match_openvpn;
250 if (dns_only)
251 {
252 Filter.numFilterConditions = 2;
253 Condition[1] = match_port_53;
254 }
255 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
256 OUT_ON_ERROR(err, "Add filter to permit IPv4 traffic from OpenVPN failed");
257
258 /* Second filter. Permit IPv6 from OpenVPN itself. */
259 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
260 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
261 OUT_ON_ERROR(err, "Add filter to permit IPv6 traffic from OpenVPN failed");
262
263 msg_handler(0, "WFP Block: Added permit filters for exe_path");
264
265 /* Third filter. Block IPv4 to port 53 or all except loopback. */
266 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
267 Filter.action.type = FWP_ACTION_BLOCK;
268 Filter.weight.type = FWP_EMPTY;
269 Filter.numFilterConditions = 1;
270 Condition[0] = match_not_loopback;
271 if (dns_only)
272 {
273 Filter.numFilterConditions = 2;
274 Condition[1] = match_port_53;
275 }
276 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
277 OUT_ON_ERROR(err, "Add filter to block IPv4 traffic failed");
278
279 /* Fourth filter. Block IPv6 to port 53 or all besides loopback */
280 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
281 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
282 OUT_ON_ERROR(err, "Add filter to block IPv6 traffic failed");
283
284 msg_handler(0, "WFP Block: Added block filters for all interfaces");
285
286 /* Fifth filter. Permit all IPv4 or just DNS traffic for the VPN interface.
287 * Use a non-zero weight so that the permit filters get higher priority
288 * over the block filter added with automatic weighting */
289 Filter.weight.type = FWP_UINT8;
290 Filter.weight.uint8 = 0xE;
291 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
292 Filter.action.type = FWP_ACTION_PERMIT;
293 Filter.numFilterConditions = 1;
294 Condition[0] = match_interface;
295 if (dns_only)
296 {
297 Filter.numFilterConditions = 2;
298 Condition[1] = match_port_53;
299 }
300 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
301 OUT_ON_ERROR(err, "Add filter to permit IPv4 traffic through VPN interface failed");
302
303 /* Sixth filter. Permit all IPv6 or just DNS traffic for the VPN interface.
304 * Use same weight as IPv4 filter */
305 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
306 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
307 OUT_ON_ERROR(err, "Add filter to permit IPv6 traffic through VPN interface failed");
308
309 msg_handler(0, "WFP Block: Added permit filters for VPN interface");
310
311 /* Seventh Filter. Block IPv4 DNS requests to loopback from other apps */
312 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
313 Filter.action.type = FWP_ACTION_BLOCK;
314 Filter.weight.type = FWP_EMPTY;
315 Filter.numFilterConditions = 2;
316 Condition[0] = match_loopback;
317 Condition[1] = match_port_53;
318 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
319 OUT_ON_ERROR(err, "Add filter to block IPv4 DNS traffic to loopback failed");
320
321 /* Eighth Filter. Block IPv6 DNS requests to loopback from other apps */
322 Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
323 err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
324 OUT_ON_ERROR(err, "Add filter to block IPv6 DNS traffic to loopback failed");
325
326 msg_handler(0, "WFP Block: Added block filters for DNS traffic to loopback");
327
328out:
329 if (openvpnblob)
330 {
331 FwpmFreeMemory0((void **)&openvpnblob);
332 }
333
334 if (err && *engine_handle)
335 {
336 FwpmEngineClose0(*engine_handle);
337 *engine_handle = NULL;
338 }
339
340 return err;
341}
342
343DWORD
344delete_wfp_block_filters(HANDLE engine_handle)
345{
346 DWORD err = 0;
347 /*
348 * For dynamic sessions closing the engine removes all filters added in the session
349 */
350 if (engine_handle)
351 {
352 err = FwpmEngineClose0(engine_handle);
353 }
354 return err;
355}
356
357/*
358 * Return interface metric value for the specified interface index.
359 *
360 * Arguments:
361 * index : The index of TAP adapter.
362 * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6).
363 * is_auto : On return set to true if automatic metric is in use.
364 * Unused if NULL.
365 *
366 * Returns positive metric value or -1 on error.
367 */
368int
369get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto)
370{
371 DWORD err = 0;
372 MIB_IPINTERFACE_ROW ipiface;
373 InitializeIpInterfaceEntry(&ipiface);
374 ipiface.Family = family;
375 ipiface.InterfaceIndex = index;
376
377 if (is_auto)
378 {
379 *is_auto = 0;
380 }
381 err = GetIpInterfaceEntry(&ipiface);
382
383 /* On Windows metric is never > INT_MAX so return value of int is ok.
384 * But we check for overflow nevertheless.
385 */
386 if (err == NO_ERROR && ipiface.Metric <= INT_MAX)
387 {
388 if (is_auto)
389 {
390 *is_auto = ipiface.UseAutomaticMetric;
391 }
392 return (int)ipiface.Metric;
393 }
394 return -1;
395}
396
397/*
398 * Sets interface metric value for specified interface index.
399 *
400 * Arguments:
401 * index : The index of TAP adapter.
402 * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6).
403 * metric : Metric value. 0 for automatic metric.
404 * Returns 0 on success, a non-zero status code of the last failed action on failure.
405 */
406
407DWORD
408set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric)
409{
410 DWORD err = 0;
411 MIB_IPINTERFACE_ROW ipiface;
412 InitializeIpInterfaceEntry(&ipiface);
413 ipiface.Family = family;
414 ipiface.InterfaceIndex = index;
415 err = GetIpInterfaceEntry(&ipiface);
416 if (err == NO_ERROR)
417 {
418 if (family == AF_INET)
419 {
420 /* required for IPv4 as per MSDN */
421 ipiface.SitePrefixLength = 0;
422 }
423 ipiface.Metric = metric;
424 if (metric == 0)
425 {
426 ipiface.UseAutomaticMetric = TRUE;
427 }
428 else
429 {
430 ipiface.UseAutomaticMetric = FALSE;
431 }
432 err = SetIpInterfaceEntry(&ipiface);
433 if (err == NO_ERROR)
434 {
435 return 0;
436 }
437 }
438 return err;
439}
440
441#endif /* ifdef _WIN32 */
UINT64
#define UINT64(c)
Definition ntlm.c:51
msg
#define msg(flags,...)
Definition error.h:150
get_interface_metric
int get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, int *is_auto)
Return interface metric value for the specified interface index.
Definition wfp_block.c:369
DEFINE_GUID
DEFINE_GUID(FWPM_LAYER_ALE_AUTH_CONNECT_V4, 0xc38d57d1, 0x05a7, 0x4c33, 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82)
OUT_ON_ERROR
#define OUT_ON_ERROR(err, msg)
Definition wfp_block.c:90
default_msg_handler
static void default_msg_handler(DWORD err, const char *msg)
Definition wfp_block.c:85
add_sublayer
static DWORD add_sublayer(GUID uuid)
Definition wfp_block.c:101
set_interface_metric
DWORD set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric)
Sets interface metric value for specified interface index.
Definition wfp_block.c:408
FIREWALL_NAME
static WCHAR * FIREWALL_NAME
Definition wfp_block.c:79
delete_wfp_block_filters
DWORD delete_wfp_block_filters(HANDLE engine_handle)
Definition wfp_block.c:344
FWPM_SESSION_FLAG_DYNAMIC
#define FWPM_SESSION_FLAG_DYNAMIC
Definition wfp_block.c:47
add_wfp_block_filters
DWORD add_wfp_block_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path, wfp_block_msg_handler_t msg_handler, BOOL dns_only)
Definition wfp_block.c:153
wfp_block.h
wfp_block_msg_handler_t
void(* wfp_block_msg_handler_t)(DWORD err, const char *msg)
Definition wfp_block.h:35
Generated by doxygen 1.9.8