-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewall rules for remote do not include the destination ip address #163
Comments
IIRC this is a specific issue for OpenVPN. The issue is that since we get the DNS address from the server response in some cases, we can't know it before connecting. This means we can't set the firewall to only allow connections to the DNS server and tunnel. I tried to work around it at the time, but couldn't get it to work. Since I never use OpenVPN myself, I haven't had time to go back and fix it yet. I'll try to look at it again when I get time (also to refactor out the CLI and library code), but in the meantime you can try to adjust the rules and when they are set to see if you find something that works for OpenVPN connections that receive the DNS address in the OpenVPN connection response. |
I use OpenVPN and If I change the vopono firewall code to
then everything still works fine. Maybe this issue you are describing not only depends on OpenVPN being used, but also some other factors. |
Cool, could you please create a PR with those changes to the OpenVPN code? |
Closing since addressed in #167 |
The firewall rules for the remote address do not include the destination ip address.
The parameters are commented out in the code:
There is also this comment:
However doesn't this only apply to the
Host::Hostname(_name) =>
match case?If I enable these parameters for the
Host::IPv4(ip) =>
branch it at least seems to work for me.In any case isn't it a significant hole in the killswitch if we only filter on the port/protocol?
The text was updated successfully, but these errors were encountered: