From 89c26fe384aa6e9f42791ec86cd2078a21ce114c Mon Sep 17 00:00:00 2001 From: Mygod Date: Mon, 3 Sep 2018 16:37:54 +0800 Subject: [PATCH] Support strict mode for system tethering TODO: Set up rules when upstream interface not found. --- mobile/src/main/java/be/mygod/vpnhotspot/App.kt | 5 +++-- .../java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt | 2 +- mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt | 2 ++ mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt | 5 +++++ mobile/src/main/res/values-zh-rCN/strings.xml | 2 +- mobile/src/main/res/values/strings.xml | 3 +-- 6 files changed, 13 insertions(+), 6 deletions(-) diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt index 077ff57d..6b8c0ed4 100644 --- a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt +++ b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt @@ -49,8 +49,9 @@ class App : Application() { val result = pref.getString(KEY_OPERATING_CHANNEL, null)?.toIntOrNull() ?: 0 return if (result in 1..165) result else 0 } - val masquerade: Boolean get() = pref.getBoolean("service.masquerade", true) - val dhcpWorkaround: Boolean get() = pref.getBoolean("service.dhcpWorkaround", false) + val masquerade get() = pref.getBoolean("service.masquerade", true) + val strict get() = app.pref.getBoolean("service.repeater.strict", false) + val dhcpWorkaround get() = pref.getBoolean("service.dhcpWorkaround", false) val cleanRoutings = Event0() } diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt index bcde73d0..fb8b2360 100644 --- a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt +++ b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt @@ -42,7 +42,7 @@ class LocalOnlyInterfaceManager(val downstream: String) : UpstreamMonitor.Callba try { this.dns = dns this.routing = Routing(upstream, downstream, owner).apply { - val strict = app.pref.getBoolean("service.repeater.strict", false) + val strict = app.strict if (strict && upstream == null) return@apply // in this case, nothing to be done if (app.dhcpWorkaround) dhcpWorkaround() ipForward() // local only interfaces need to enable ip_forward diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt index c3a6c173..01cce533 100644 --- a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt +++ b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt @@ -55,7 +55,9 @@ class TetheringService : IpNeighbourMonitoringService(), UpstreamMonitor.Callbac // system tethering already has working forwarding rules // so it doesn't make sense to add additional forwarding rules rule() + // here we always enforce strict mode as fallback is handled by system which we disable forward() + if (app.strict) overrideSystemRules() if (app.masquerade) masquerade() dnsRedirect(dns) if (app.pref.getBoolean("service.disableIpv6", false)) disableIpv6() diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt index d40891b3..70c2059e 100644 --- a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt +++ b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt @@ -84,6 +84,11 @@ class Routing(val upstream: String?, private val downstream: String, ownerAddres stopScript.addFirst("$IPTABLES -D FORWARD -j vpnhotspot_fwd") } + fun overrideSystemRules() { + startScript.add("$IPTABLES -A vpnhotspot_fwd -i $downstream -j DROP") + stopScript.addFirst("$IPTABLES -D vpnhotspot_fwd -i $downstream -j DROP") + } + fun masquerade(strict: Boolean = true) { val hostSubnet = "${hostAddress.address.hostAddress}/${hostAddress.networkPrefixLength}" startScript.add("quiet $IPTABLES -t nat -N vpnhotspot_masquerade 2>/dev/null") diff --git a/mobile/src/main/res/values-zh-rCN/strings.xml b/mobile/src/main/res/values-zh-rCN/strings.xml index f1733c04..65ab2672 100644 --- a/mobile/src/main/res/values-zh-rCN/strings.xml +++ b/mobile/src/main/res/values-zh-rCN/strings.xml @@ -64,7 +64,7 @@ Wi\u2011Fi 运行频段 (不稳定) "自动 (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz)" 严格模式 - 只允许通过 VPN 隧道的包通过,不适用于系统共享 + 只允许通过 VPN 隧道的包通过 禁用 IPv6 共享 防止 IPv6 VPN 泄漏。 开机自启动中继 diff --git a/mobile/src/main/res/values/strings.xml b/mobile/src/main/res/values/strings.xml index 1fb98bc1..f4987d61 100644 --- a/mobile/src/main/res/values/strings.xml +++ b/mobile/src/main/res/values/strings.xml @@ -69,8 +69,7 @@ Operating Wi\u2011Fi channel (unstable) Auto (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz) Strict mode - Only allow packets that goes through VPN tunnel. Does not - apply to system tethering. + Only allow packets that goes through VPN tunnel. Disable IPv6 tethering Enabling this option will prevent VPN leaks via IPv6. Start repeater on boot