OpenVPN 3 Core Library
Loading...
Searching...
No Matches
wfp.hpp
Go to the documentation of this file.
1// OpenVPN -- An application to securely tunnel IP networks
2// over a single port, with support for SSL/TLS-based
3// session authentication and key exchange,
4// packet encryption, packet authentication, and
5// packet compression.
6//
7// Copyright (C) 2012- OpenVPN Inc.
8//
9// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
10//
11// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
12//
13
14#pragma once
15
16#include <ostream>
17
18#include <openvpn/common/rc.hpp>
19#include <openvpn/common/wstring.hpp>
20#include <openvpn/common/action.hpp>
21#include <openvpn/common/uniqueptr.hpp>
22#include <openvpn/buffer/bufstr.hpp>
23#include <openvpn/tun/win/tunutil.hpp>
24#include <openvpn/win/winerr.hpp>
25
26#include <fwpmu.h>
27#include <fwpmtypes.h>
28#include <iphlpapi.h>
29#include <wchar.h>
30
31#ifdef __MINGW32__
32
33#include <initguid.h>
34
35// WFP-related defines and GUIDs not in mingw32
36
37#ifndef FWPM_SESSION_FLAG_DYNAMIC
38#define FWPM_SESSION_FLAG_DYNAMIC 0x00000001
39#endif
40
41// defines below are taken from openvpn2 code
42// which likely borrowed them from Windows SDK header fwpmu.h
43
44/* c38d57d1-05a7-4c33-904f-7fbceee60e82 */
45DEFINE_GUID(
46 FWPM_LAYER_ALE_AUTH_CONNECT_V4,
47 0xc38d57d1,
48 0x05a7,
49 0x4c33,
50 0x90,
51 0x4f,
52 0x7f,
53 0xbc,
54 0xee,
55 0xe6,
56 0x0e,
57 0x82);
58
59/* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */
60DEFINE_GUID(
61 FWPM_LAYER_ALE_AUTH_CONNECT_V6,
62 0x4a72393b,
63 0x319f,
64 0x44bc,
65 0x84,
66 0xc3,
67 0xba,
68 0x54,
69 0xdc,
70 0xb3,
71 0xb6,
72 0xb4);
73
74/* d78e1e87-8644-4ea5-9437-d809ecefc971 */
75DEFINE_GUID(
76 FWPM_CONDITION_ALE_APP_ID,
77 0xd78e1e87,
78 0x8644,
79 0x4ea5,
80 0x94,
81 0x37,
82 0xd8,
83 0x09,
84 0xec,
85 0xef,
86 0xc9,
87 0x71);
88
89/* c35a604d-d22b-4e1a-91b4-68f674ee674b */
90DEFINE_GUID(
91 FWPM_CONDITION_IP_REMOTE_PORT,
92 0xc35a604d,
93 0xd22b,
94 0x4e1a,
95 0x91,
96 0xb4,
97 0x68,
98 0xf6,
99 0x74,
100 0xee,
101 0x67,
102 0x4b);
103
104/* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */
105DEFINE_GUID(
106 FWPM_CONDITION_IP_LOCAL_INTERFACE,
107 0x4cd62a49,
108 0x59c3,
109 0x4969,
110 0xb7,
111 0xf3,
112 0xbd,
113 0xa5,
114 0xd3,
115 0x28,
116 0x90,
117 0xa4);
118
119/* 632ce23b-5167-435c-86d7-e903684aa80c */
120DEFINE_GUID(
121 FWPM_CONDITION_FLAGS,
122 0x632ce23b,
123 0x5167,
124 0x435c,
125 0x86,
126 0xd7,
127 0xe9,
128 0x03,
129 0x68,
130 0x4a,
131 0xa8,
132 0x0c);
133
134#endif
135
136namespace openvpn::TunWin {
137
141class WFP : public RC<thread_unsafe_refcount>
142{
143 public:
144 typedef RCPtr<WFP> Ptr;
145
146 OPENVPN_EXCEPTION(wfp_error);
147
151 enum class Block
152 {
153 All,
154 AllButLocalDns,
155 Dns,
156 DnsButAllowLocal,
157 };
158
159 class ActionBase;
160
164 class Context : public RC<thread_unsafe_refcount>
165 {
166 public:
167 typedef RCPtr<Context> Ptr;
168
169 private:
170 friend class ActionBase;
171
172 void block(const std::wstring &openvpn_app_path,
173 const NET_IFINDEX itf_index,
174 const Block block_type,
175 std::ostream &log)
176 {
177 unblock(log);
178 wfp.reset(new WFP());
179 wfp->block(openvpn_app_path, itf_index, block_type, log);
180 }
181
182 void unblock(std::ostream &log)
183 {
184 if (wfp)
185 {
186 wfp->reset(log);
187 wfp.reset();
188 }
189 }
190
191 WFP::Ptr wfp;
192 };
193
202 class ActionBase : public Action
203 {
204 public:
210 void execute(std::ostream &log) override
211 {
212 log << to_string() << std::endl;
213 if (block_)
214 ctx_->block(openvpn_app_path_, itf_index_, block_type_, log);
215 else
216 ctx_->unblock(log);
217 }
218
219 std::string to_string() const override
220 {
221 return "ActionBase openvpn_app_path=" + wstring::to_utf8(openvpn_app_path_)
222 + " tap_index=" + std::to_string(itf_index_)
223 + " enable=" + std::to_string(block_);
224 }
225
226 protected:
227 ActionBase(const bool block,
228 const std::wstring &openvpn_app_path,
229 const NET_IFINDEX itf_index,
230 const Block block_type,
231 const Context::Ptr &ctx)
232 : block_(block),
233 openvpn_app_path_(openvpn_app_path),
234 itf_index_(itf_index),
235 block_type_(block_type),
236 ctx_(ctx)
237 {
238 }
239
240 private:
241 const bool block_;
242 const std::wstring openvpn_app_path_;
243 const NET_IFINDEX itf_index_;
244 const Block block_type_;
245 Context::Ptr ctx_;
246 };
247
248 struct ActionBlock : public ActionBase
249 {
250 ActionBlock(const std::wstring &openvpn_app_path,
251 const NET_IFINDEX itf_index,
252 const Block block_type,
253 const Context::Ptr &wfp)
254 : ActionBase(true, openvpn_app_path, itf_index, block_type, wfp)
255 {
256 }
257 };
258
259 struct ActionUnblock : public ActionBase
260 {
261 ActionUnblock(const std::wstring &openvpn_app_path,
262 const NET_IFINDEX itf_index,
263 const Block block_type,
264 const Context::Ptr &wfp)
265 : ActionBase(false, openvpn_app_path, itf_index, block_type, wfp)
266 {
267 }
268 };
269
270 private:
271 friend class Context;
272
288 void block(const std::wstring &openvpn_app_path,
289 NET_IFINDEX itf_index,
290 Block block_type,
291 std::ostream &log)
292 {
293 // WFP filter/conditions
294 FWPM_FILTER0 filter = {};
295 FWPM_FILTER_CONDITION0 condition[2] = {};
296 FWPM_FILTER_CONDITION0 match_openvpn = {};
297 FWPM_FILTER_CONDITION0 match_port_53 = {};
298 FWPM_FILTER_CONDITION0 match_interface = {};
299 FWPM_FILTER_CONDITION0 match_loopback = {};
300 FWPM_FILTER_CONDITION0 match_not_loopback = {};
301 UINT64 filterid = 0;
302
303 // Get NET_LUID object for adapter
304 NET_LUID itf_luid = adapter_index_to_luid(itf_index);
305
306 // Get app ID
307 unique_ptr_del<FWP_BYTE_BLOB> openvpn_app_id_blob = get_app_id_blob(openvpn_app_path);
308
309 // Populate packet filter layer information
310 {
311 FWPM_SUBLAYER0 subLayer = {};
312 subLayer.subLayerKey = subLayerGUID;
313 subLayer.displayData.name = const_cast<wchar_t *>(L"OpenVPN");
314 subLayer.displayData.description = const_cast<wchar_t *>(L"OpenVPN");
315 subLayer.flags = 0;
316 subLayer.weight = 0x100;
317
318 // Add packet filter to interface
319 const DWORD status = ::FwpmSubLayerAdd0(engineHandle(), &subLayer, NULL);
320 if (status != ERROR_SUCCESS)
321 OPENVPN_THROW(wfp_error, "FwpmSubLayerAdd0 failed with status=0x" << std::hex << status);
322 }
323
324 /* Prepare match conditions */
325 match_openvpn.fieldKey = FWPM_CONDITION_ALE_APP_ID;
326 match_openvpn.matchType = FWP_MATCH_EQUAL;
327 match_openvpn.conditionValue.type = FWP_BYTE_BLOB_TYPE;
328 match_openvpn.conditionValue.byteBlob = openvpn_app_id_blob.get();
329
330 match_port_53.fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
331 match_port_53.matchType = FWP_MATCH_EQUAL;
332 match_port_53.conditionValue.type = FWP_UINT16;
333 match_port_53.conditionValue.uint16 = 53;
334
335 match_interface.fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
336 match_interface.matchType = FWP_MATCH_EQUAL;
337 match_interface.conditionValue.type = FWP_UINT64;
338 match_interface.conditionValue.uint64 = &itf_luid.Value;
339
340 match_loopback.fieldKey = FWPM_CONDITION_FLAGS;
341 match_loopback.matchType = FWP_MATCH_FLAGS_ALL_SET;
342 match_loopback.conditionValue.type = FWP_UINT32;
343 match_loopback.conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
344
345 match_not_loopback.fieldKey = FWPM_CONDITION_FLAGS;
346 match_not_loopback.matchType = FWP_MATCH_FLAGS_NONE_SET;
347 match_not_loopback.conditionValue.type = FWP_UINT32;
348 match_not_loopback.conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
349
350 // Prepare filter
351 filter.subLayerKey = subLayerGUID;
352 filter.displayData.name = const_cast<wchar_t *>(L"OpenVPN");
353 filter.weight.type = FWP_UINT8;
354 filter.weight.uint8 = 0xF;
355 filter.filterCondition = condition;
356
357 // Filter #1 -- permit IPv4 requests from OpenVPN app
358 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
359 filter.action.type = FWP_ACTION_PERMIT;
360 filter.numFilterConditions = 1;
361 condition[0] = match_openvpn;
362 add_filter(&filter, NULL, &filterid);
363 log << "permit IPv4 requests from OpenVPN app" << std::endl;
364
365
366 // Filter #2 -- permit IPv6 requests from OpenVPN app
367 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
368 add_filter(&filter, NULL, &filterid);
369 log << "permit IPv6 requests from OpenVPN app" << std::endl;
370
371
372 // Filter #3 -- block IPv4 (DNS) requests, except to loopback, from other apps
373 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
374 filter.action.type = FWP_ACTION_BLOCK;
375 filter.weight.type = FWP_EMPTY;
376 filter.numFilterConditions = 1;
377 condition[0] = match_not_loopback;
378 std::string dns_str;
379 if (block_type == Block::Dns || block_type == Block::DnsButAllowLocal)
380 {
381 filter.numFilterConditions = 2;
382 condition[1] = match_port_53;
383 dns_str = "DNS ";
384 }
385 add_filter(&filter, NULL, &filterid);
386 log << "block IPv4 " << dns_str << "requests from other apps" << std::endl;
387
388
389 // Filter #4 -- block IPv6 (DNS) requests, except to loopback, from other apps
390 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
391 add_filter(&filter, NULL, &filterid);
392 log << "block IPv6 " << dns_str << "requests from other apps" << std::endl;
393
394
395 // Filter #5 -- allow IPv4 traffic from VPN interface
396 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
397 filter.action.type = FWP_ACTION_PERMIT;
398 filter.numFilterConditions = 1;
399 condition[0] = match_interface;
400 add_filter(&filter, NULL, &filterid);
401 log << "allow IPv4 traffic from TAP" << std::endl;
402
403
404 // Filter #6 -- allow IPv6 traffic from VPN interface
405 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
406 add_filter(&filter, NULL, &filterid);
407 log << "allow IPv6 traffic from TAP" << std::endl;
408
409 if (block_type != Block::AllButLocalDns && block_type != Block::DnsButAllowLocal)
410 {
411 // Filter #7 -- block IPv4 DNS requests to loopback from other apps
412 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
413 filter.action.type = FWP_ACTION_BLOCK;
414 filter.weight.type = FWP_EMPTY;
415 filter.numFilterConditions = 2;
416 condition[0] = match_loopback;
417 condition[1] = match_port_53;
418 add_filter(&filter, NULL, &filterid);
419 log << "block IPv4 DNS requests to loopback from other apps" << std::endl;
420
421
422 // Filter #8 -- block IPv6 DNS requests to loopback from other apps
423 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
424 add_filter(&filter, NULL, &filterid);
425 log << "block IPv6 DNS requests to loopback from other apps" << std::endl;
426 }
427 }
428
434 void reset(std::ostream &log)
435 {
436 engineHandle.reset(&log);
437 }
438
442 class EngineHandle
443 {
444 public:
448 EngineHandle()
449 {
450 FWPM_SESSION0 session = {};
451
452 // delete all filters when engine handle is closed
453 session.flags = FWPM_SESSION_FLAG_DYNAMIC;
454
455 const DWORD status = ::FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &handle);
456 if (status != ERROR_SUCCESS)
457 OPENVPN_THROW(wfp_error, "FwpmEngineOpen0 failed with status=0x" << std::hex << status);
458 }
459
467 void reset(std::ostream *log)
468 {
469 if (defined())
470 {
471 const DWORD status = ::FwpmEngineClose0(handle);
472 handle = INVALID_HANDLE_VALUE;
473 if (log)
474 {
475 if (status != ERROR_SUCCESS)
476 *log << "FwpmEngineClose0 failed, status=" << status << std::endl;
477 else
478 *log << "WFP Engine closed" << std::endl;
479 }
480 }
481 }
482
483 ~EngineHandle()
484 {
485 reset(nullptr);
486 }
487
488 bool defined() const
489 {
490 return Win::Handle::defined(handle);
491 }
492
498 HANDLE operator()() const
499 {
500 return handle;
501 }
502
503 private:
504 EngineHandle(const EngineHandle &) = delete;
505 EngineHandle &operator=(const EngineHandle &) = delete;
506
507 HANDLE handle = INVALID_HANDLE_VALUE;
508 };
509
510 static GUID new_guid()
511 {
512 UUID ret;
513 const RPC_STATUS status = ::UuidCreate(&ret);
514 if (status != RPC_S_OK && status != RPC_S_UUID_LOCAL_ONLY)
515 throw wfp_error("UuidCreate failed");
516 return ret;
517 }
518
519 static NET_LUID adapter_index_to_luid(const NET_IFINDEX index)
520 {
521 NET_LUID itf_luid;
522 const NETIO_STATUS ret = ::ConvertInterfaceIndexToLuid(index, &itf_luid);
523 if (ret != NO_ERROR)
524 throw wfp_error("ConvertInterfaceIndexToLuid failed");
525 return itf_luid;
526 }
527
528 static unique_ptr_del<FWP_BYTE_BLOB> get_app_id_blob(const std::wstring &app_path)
529 {
530 FWP_BYTE_BLOB *blob;
531 const DWORD status = ::FwpmGetAppIdFromFileName0(app_path.c_str(), &blob);
532 if (status != ERROR_SUCCESS)
533 OPENVPN_THROW(wfp_error, "FwpmGetAppIdFromFileName0 failed, status=0x" << std::hex << status);
534 return unique_ptr_del<FWP_BYTE_BLOB>(blob, [](FWP_BYTE_BLOB *blob)
535 { ::FwpmFreeMemory0((void **)&blob); });
536 }
537
538 void add_filter(const FWPM_FILTER0 *filter,
539 PSECURITY_DESCRIPTOR sd,
540 UINT64 *id)
541 {
542 const DWORD status = ::FwpmFilterAdd0(engineHandle(), filter, sd, id);
543 if (status != ERROR_SUCCESS)
544 OPENVPN_THROW(wfp_error, "FwpmFilterAdd0 failed, status=0x" << std::hex << status);
545 }
546
547 const GUID subLayerGUID{new_guid()};
548 EngineHandle engineHandle;
549};
550
551} // namespace openvpn::TunWin
openvpn::RCPtr
The smart pointer class.
Definition rc.hpp:119
openvpn::RCPtr::reset
void reset() noexcept
Points this RCPtr<T> to nullptr safely.
Definition rc.hpp:290
openvpn::RC
Reference count base class for objects tracked by RCPtr. Disallows copying and assignment.
Definition rc.hpp:912
openvpn::TunWin::WFP::ActionBase
Base class for WFP actions.
Definition wfp.hpp:203
openvpn::TunWin::WFP::ActionBase::itf_index_
const NET_IFINDEX itf_index_
Definition wfp.hpp:243
openvpn::TunWin::WFP::ActionBase::execute
void execute(std::ostream &log) override
Invoke the context class to block / unblock traffic.
Definition wfp.hpp:210
openvpn::TunWin::WFP::ActionBase::to_string
std::string to_string() const override
Definition wfp.hpp:219
openvpn::TunWin::WFP::ActionBase::openvpn_app_path_
const std::wstring openvpn_app_path_
Definition wfp.hpp:242
openvpn::TunWin::WFP::ActionBase::ActionBase
ActionBase(const bool block, const std::wstring &openvpn_app_path, const NET_IFINDEX itf_index, const Block block_type, const Context::Ptr &ctx)
Definition wfp.hpp:227
openvpn::TunWin::WFP::Context
Wrapper class for a WFP session.
Definition wfp.hpp:165
openvpn::TunWin::WFP::Context::block
void block(const std::wstring &openvpn_app_path, const NET_IFINDEX itf_index, const Block block_type, std::ostream &log)
Definition wfp.hpp:172
openvpn::TunWin::WFP::Context::Ptr
RCPtr< Context > Ptr
Definition wfp.hpp:167
openvpn::TunWin::WFP::Context::unblock
void unblock(std::ostream &log)
Definition wfp.hpp:182
openvpn::TunWin::WFP::EngineHandle::reset
void reset(std::ostream *log)
Close the engine handle.
Definition wfp.hpp:467
openvpn::TunWin::WFP::EngineHandle::EngineHandle
EngineHandle()
Open a new WFP session and store the handle.
Definition wfp.hpp:448
openvpn::TunWin::WFP::EngineHandle::operator()
HANDLE operator()() const
Return the engine handle.
Definition wfp.hpp:498
openvpn::TunWin::WFP::EngineHandle::EngineHandle
EngineHandle(const EngineHandle &)=delete
openvpn::TunWin::WFP::EngineHandle::operator=
EngineHandle & operator=(const EngineHandle &)=delete
openvpn::TunWin::WFP
Add WFP rules to block traffic from escaping the VPN.
Definition wfp.hpp:142
openvpn::TunWin::WFP::Block
Block
Enum for type of local traffic to block.
Definition wfp.hpp:152
openvpn::TunWin::WFP::add_filter
void add_filter(const FWPM_FILTER0 *filter, PSECURITY_DESCRIPTOR sd, UINT64 *id)
Definition wfp.hpp:538
openvpn::TunWin::WFP::OPENVPN_EXCEPTION
OPENVPN_EXCEPTION(wfp_error)
openvpn::TunWin::WFP::Ptr
RCPtr< WFP > Ptr
Definition wfp.hpp:144
openvpn::TunWin::WFP::reset
void reset(std::ostream &log)
Remove WFP block filters.
Definition wfp.hpp:434
openvpn::TunWin::WFP::block
void block(const std::wstring &openvpn_app_path, NET_IFINDEX itf_index, Block block_type, std::ostream &log)
Add WFP block filters to prevent VPN traffic from leaking.
Definition wfp.hpp:288
openvpn::TunWin::WFP::new_guid
static GUID new_guid()
Definition wfp.hpp:510
openvpn::TunWin::WFP::get_app_id_blob
static unique_ptr_del< FWP_BYTE_BLOB > get_app_id_blob(const std::wstring &app_path)
Definition wfp.hpp:528
openvpn::TunWin::WFP::adapter_index_to_luid
static NET_LUID adapter_index_to_luid(const NET_IFINDEX index)
Definition wfp.hpp:519
openvpn::TunWin::WFP::engineHandle
EngineHandle engineHandle
Definition wfp.hpp:548
openvpn::TunWin::WFP::subLayerGUID
const GUID subLayerGUID
Definition wfp.hpp:547
OPENVPN_THROW
#define OPENVPN_THROW(exc, stuff)
Definition exception.hpp:175
openvpn::TunWin
DNS utilities for Windows.
Definition clientconfig.hpp:21
openvpn::Win::Handle::defined
bool defined(HANDLE handle)
Definition handle.hpp:25
openvpn::unique_ptr_del
std::unique_ptr< T, std::function< void(T *)> > unique_ptr_del
Definition uniqueptr.hpp:21
openvpn::TunWin::WFP::ActionBlock::ActionBlock
ActionBlock(const std::wstring &openvpn_app_path, const NET_IFINDEX itf_index, const Block block_type, const Context::Ptr &wfp)
Definition wfp.hpp:250
openvpn::TunWin::WFP::ActionUnblock::ActionUnblock
ActionUnblock(const std::wstring &openvpn_app_path, const NET_IFINDEX itf_index, const Block block_type, const Context::Ptr &wfp)
Definition wfp.hpp:261
ret
std::string ret
Definition test_capture.cpp:268