firewall rules for remote do not include the destination ip address

[ak-1]

The firewall rules for the remote address do not include the destination ip address.
The parameters are commented out in the code:

// "-d",
// &ip.to_string()

There is also this comment:

// TODO: Fix this to specify destination address - but need hostname
// resolution working

However doesn't this only apply to the Host::Hostname(_name) => match case?
If I enable these parameters for the Host::IPv4(ip) => branch it at least seems to work for me.

In any case isn't it a significant hole in the killswitch if we only filter on the port/protocol?

[jamesmcm]

IIRC this is a specific issue for OpenVPN.

The issue is that since we get the DNS address from the server response in some cases, we can't know it before connecting. This means we can't set the firewall to only allow connections to the DNS server and tunnel.

I tried to work around it at the time, but couldn't get it to work. Since I never use OpenVPN myself, I haven't had time to go back and fix it yet.

I'll try to look at it again when I get time (also to refactor out the CLI and library code), but in the meantime you can try to adjust the rules and when they are set to see if you find something that works for OpenVPN connections that receive the DNS address in the OpenVPN connection response.

[ak-1]

I use OpenVPN and vopono -v shows "Found OpenVPN DNS response" and "Set OpenVPN DNS to" messages.

If I change the vopono firewall code to

• limit the remote rule to the remote's IP address and
• not create the explicit DNS rules

then everything still works fine.

Maybe this issue you are describing not only depends on OpenVPN being used, but also some other factors.

[jamesmcm]

Cool, could you please create a PR with those changes to the OpenVPN code?

[jamesmcm]

Closing since addressed in #167