v2.11.4

README.md

@@ -92,11 +92,10 @@ See `build_all --help` for other build options.
 ```bash
   brew install git
 ```
-- Install Auto-Tools and 7-Zip:
+- Install Auto-Tools:
 ```bash
   brew install libtool
   brew install automake
-  brew install p7zip
 ```
 - Install Python 3:
     - Minimum tested version is Python 3.6.8. 3.12.0 seems to have some issues with the python deps, so 3.11.6 is the latest recommended version. You may do this however you like, however `pyenv` is recommended:

backend/linux/helper/CMakeLists.txt

@@ -25,6 +25,7 @@ set(SOURCES
     ../../../client/common/utils/executable_signature/executablesignature_linux.cpp
     execute_cmd.cpp
     firewallcontroller.cpp
+    firewallonboot.cpp
     ipc/helper_security.cpp
     logger.cpp
     main.cpp

backend/linux/helper/execute_cmd.cpp

@@ -2,7 +2,7 @@
 #include <boost/thread.hpp>
 #include <syslog.h>
 
-unsigned long ExecuteCmd::execute(const std::string &cmd, const std::string &cwd)
+unsigned long ExecuteCmd::execute(const std::string &cmd, const std::string &cwd, bool deleteOnFinish)
 {
     mutex_.lock();
     curCmdId_++;
@@ -14,9 +14,9 @@ unsigned long ExecuteCmd::execute(const std::string &cmd, const std::string &cwd
     mutex_.unlock();
 
     if (!cwd.empty()) {
-        boost::thread(runCmd, curCmdId_, "cd \"" + cwd + "\" && " + cmd);
+        boost::thread(runCmd, curCmdId_, "cd \"" + cwd + "\" && " + cmd, deleteOnFinish);
     } else {
-        boost::thread(runCmd, curCmdId_, cmd);
+        boost::thread(runCmd, curCmdId_, cmd, deleteOnFinish);
     }
 
     return curCmdId_;
@@ -55,7 +55,7 @@ ExecuteCmd::ExecuteCmd() : curCmdId_(0)
 {
 }
 
-void ExecuteCmd::runCmd(unsigned long cmdId, std::string cmd)
+void ExecuteCmd::runCmd(unsigned long cmdId, std::string cmd, bool deleteOnFinish)
 {
     std::string strReply;
 
@@ -69,20 +69,25 @@ void ExecuteCmd::runCmd(unsigned long cmdId, std::string cmd)
             }
         }
         pclose(file);
-        instance().cmdFinished(cmdId, true, strReply);
+        instance().cmdFinished(cmdId, true, strReply, deleteOnFinish);
     } else {
-        instance().cmdFinished(cmdId, false, std::string());
+        instance().cmdFinished(cmdId, false, std::string(), deleteOnFinish);
     }
 }
 
-void ExecuteCmd::cmdFinished(unsigned long cmdId, bool bSuccess, std::string log)
+void ExecuteCmd::cmdFinished(unsigned long cmdId, bool bSuccess, std::string log, bool del)
 {
     mutex_.lock();
     for (auto it = executingCmds_.begin(); it != executingCmds_.end(); ++it) {
         if ((*it)->cmdId == cmdId) {
-            (*it)->bFinished = true;
-            (*it)->bSuccess = bSuccess;
-            (*it)->log = log;
+            if (del) {
+                delete(*it);
+                executingCmds_.erase(it);
+            } else {
+                (*it)->bFinished = true;
+                (*it)->bSuccess = bSuccess;
+                (*it)->log = log;
+            }
             break;
         }
     }

backend/linux/helper/execute_cmd.h

@@ -14,7 +14,7 @@ class ExecuteCmd
         return i;
     }
 
-    unsigned long execute(const std::string &cmd, const std::string &cwd = "");
+    unsigned long execute(const std::string &cmd, const std::string &cwd = "", bool deleteOnFinish = false);
     void getStatus(unsigned long cmdId, bool &bFinished, std::string &log);
     void clearCmds();
 
@@ -23,8 +23,8 @@ class ExecuteCmd
 
     unsigned long curCmdId_;
 
-    static void runCmd(unsigned long cmdId, std::string cmd);
-    void cmdFinished(unsigned long cmdId, bool bSuccess, std::string log);
+    static void runCmd(unsigned long cmdId, std::string cmd, bool deleteOnFinish);
+    void cmdFinished(unsigned long cmdId, bool bSuccess, std::string log, bool del);
     bool isCmdExist(unsigned long cmdId);
 
     struct CmdDescr

backend/linux/helper/firewallcontroller.cpp

@@ -9,6 +9,21 @@
 #include "logger.h"
 #include "utils.h"
 
+FirewallController::FirewallController() : connected_(false), splitTunnelEnabled_(false), splitTunnelExclude_(true)
+{
+    // If firewall on boot is enabled, restore boot rules
+    if (Utils::isFileExists("/etc/windscribe/boot_rules.v4")) {
+        Utils::executeCommand("iptables-restore", {"-n", "/etc/windscribe/boot_rules.v4"});
+    }
+    if (Utils::isFileExists("/etc/windscribe/boot_rules.v6")) {
+        Utils::executeCommand("ip6tables-restore", {"-n", "/etc/windscribe/boot_rules.v6"});
+    }
+}
+
+FirewallController::~FirewallController()
+{
+}
+
 bool FirewallController::enable(bool ipv6, const std::string &rules)
 {
     int fd;

backend/linux/helper/firewallcontroller.h

@@ -27,8 +27,8 @@ class FirewallController
     void setSplitTunnelIpExceptions(const std::vector<std::string> &ips);
 
 private:
-    FirewallController() : connected_(false), splitTunnelEnabled_(false), splitTunnelExclude_(true) {};
-    ~FirewallController() { disable(); };
+    FirewallController();
+    ~FirewallController();
 
     bool connected_;
     bool splitTunnelEnabled_;

backend/linux/helper/firewallonboot.cpp

@@ -0,0 +1,113 @@
+#include "firewallonboot.h"
+#include <sstream>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "logger.h"
+#include "utils.h"
+
+FirewallOnBootManager::FirewallOnBootManager(): comment_("Windscribe client rule")
+{
+}
+
+FirewallOnBootManager::~FirewallOnBootManager()
+{
+}
+
+bool FirewallOnBootManager::setEnabled(bool enabled, bool allowLanTraffic)
+{
+    if (enabled) {
+        return enable(allowLanTraffic);
+    }
+    return disable();
+}
+
+bool FirewallOnBootManager::enable(bool allowLanTraffic) {
+    std::stringstream rules;
+    int bytes;
+
+    rules << "*filter\n";
+    rules << ":windscribe_input - [0:0]\n";
+    rules << ":windscribe_output - [0:0]\n";
+    rules << "-I INPUT -j windscribe_input -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-I OUTPUT -j windscribe_output -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_input -i lo -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_output -o lo -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_input -p udp --sport 67 --dport 68 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_output -p udp --sport 68 --dport 67 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+
+    std::istringstream ips(ipTable_);
+    std::string ip;
+
+    while (std::getline(ips, ip, ' ')) {
+        rules << "-A windscribe_input -s " + ip + " -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d " + ip + " -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    }
+
+    if (allowLanTraffic) {
+        // Local Network
+        rules << "-A windscribe_input -s 192.168.0.0/16 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 192.168.0.0/16 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+
+        rules << "-A windscribe_input -s 172.16.0.0/12 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 172.16.0.0/12 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+
+        rules << "-A windscribe_input -s 169.254.0.0/16 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 169.254.0.0/16 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+
+        rules << "-A windscribe_input -s 10.255.255.0/24 -j DROP -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 10.255.255.0/24 -j DROP -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_input -s 10.0.0.0/8 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 10.0.0.0/8 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+
+        // Multicast addresses
+        rules << "-A windscribe_input -s 224.0.0.0/4 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+        rules << "-A windscribe_output -d 224.0.0.0/4 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    }
+    rules << "-A windscribe_input -j DROP -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_output -j DROP -m comment --comment \"" + comment_ + "\"\n";
+    rules << "COMMIT\n";
+
+    // write rules
+    int fd = open("/etc/windscribe/boot_rules.v4", O_CREAT | O_WRONLY | O_TRUNC, S_IRWXU | S_IRGRP | S_IROTH);
+    if (fd < 0) {
+        Logger::instance().out("Could not open boot firewall rules for writing");
+        return false;
+    }
+
+    bytes = write(fd, rules.str().c_str(), rules.str().length());
+    close(fd);
+
+    rules.str("");
+    rules.clear();
+
+    rules << "*filter\n";
+    rules << ":windscribe_input - [0:0]\n";
+    rules << ":windscribe_output - [0:0]\n";
+    rules << "-A INPUT -j windscribe_input -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A OUTPUT -j windscribe_output -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_input -s ::1/128 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_output -d ::1/128 -j ACCEPT -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_input -j DROP -m comment --comment \"" + comment_ + "\"\n";
+    rules << "-A windscribe_output -j DROP -m comment --comment \"" + comment_ + "\"\n";
+    rules << "COMMIT\n";
+
+    // write rules
+    fd = open("/etc/windscribe/boot_rules.v6", O_CREAT | O_WRONLY | O_TRUNC, S_IRWXU | S_IRGRP | S_IROTH);
+    if (fd < 0) {
+        Logger::instance().out("Could not open v6 boot firewall rules for writing");
+        return false;
+    }
+
+    bytes = write(fd, rules.str().c_str(), rules.str().length());
+    close(fd);
+
+    return true;
+}
+
+bool FirewallOnBootManager::disable()
+{
+    Utils::executeCommand("rm", {"-f", "/etc/windscribe/boot_rules.v4"});
+    Utils::executeCommand("rm", {"-f", "/etc/windscribe/boot_rules.v6"});
+    return true;
+}

backend/linux/helper/firewallonboot.h

@@ -0,0 +1,27 @@
+#pragma once
+
+#include <string>
+
+class FirewallOnBootManager
+{
+public:
+    static FirewallOnBootManager& instance()
+    {
+        static FirewallOnBootManager fobm;
+        return fobm;
+    }
+
+    bool setEnabled(bool enabled, bool allowLanTraffic);
+    void setIpTable(const std::string& ipTable) { ipTable_ = ipTable; }
+
+private:
+    FirewallOnBootManager();
+    ~FirewallOnBootManager();
+
+    std::string comment_;
+
+    bool enable(bool allowLanTraffic);
+    bool disable();
+
+    std::string ipTable_;
+};

backend/linux/helper/main.cpp

@@ -27,17 +27,6 @@ int main(int argc, const char *argv[])
 
     Logger::instance().checkLogSize();
 
-    // restore firewall setting on OS reboot, if there are saved rules on /etc/windscribe dir
-
-    if (Utils::isFileExists("/etc/windscribe/rules.v4"))
-    {
-        Utils::executeCommand("iptables-restore -n < /etc/windscribe/rules.v4");
-    }
-    if (Utils::isFileExists("/etc/windscribe/rules.v6"))
-    {
-        Utils::executeCommand("ip6tables-restore -n < /etc/windscribe/rules.v6");
-    }
-
     server.run();
 
     Logger::instance().out("Windscribe helper finished");

backend/linux/helper/process_command.cpp

@@ -7,6 +7,7 @@
 #include <stdlib.h>
 #include "execute_cmd.h"
 #include "firewallcontroller.h"
+#include "firewallonboot.h"
 #include "logger.h"
 #include "ovpn.h"
 #include "routes_manager/routes_manager.h"
@@ -295,6 +296,19 @@ CMD_ANSWER getFirewallRules(boost::archive::text_iarchive &ia)
     return answer;
 }
 
+CMD_ANSWER setFirewallOnBoot(boost::archive::text_iarchive &ia)
+{
+    CMD_ANSWER answer;
+    CMD_SET_FIREWALL_ON_BOOT cmd;
+    ia >> cmd;
+    Logger::instance().out("Set firewall on boot: %s", cmd.enabled ? "true" : "false");
+
+    FirewallOnBootManager::instance().setIpTable(cmd.ipTable);
+    answer.executed = FirewallOnBootManager::instance().setEnabled(cmd.enabled, cmd.allowLanTraffic);
+
+    return answer;
+}
+
 CMD_ANSWER taskKill(boost::archive::text_iarchive &ia)
 {
     CMD_ANSWER answer;
@@ -343,14 +357,10 @@ CMD_ANSWER startCtrld(boost::archive::text_iarchive &ia)
     CMD_START_CTRLD cmd;
     ia >> cmd;
 
-    if (!Utils::isValidIpAddress(cmd.ip)) {
-        Logger::instance().out("Invalid IP address: %s", cmd.ip.c_str());
-        answer.executed = 0;
-        return answer;
-    }
+    Logger::instance().out("Starting ctrld");
 
     // Validate URLs
-    if ((!Utils::isValidUrl(cmd.upstream1)) || (!cmd.upstream2.empty() && !Utils::isValidUrl(cmd.upstream2))) {
+    if (!Utils::isValidUrl(cmd.upstream1) || (!cmd.upstream2.empty() && !Utils::isValidUrl(cmd.upstream2))) {
         Logger::instance().out("Invalid upstream URL(s)");
         answer.executed = 0;
         return answer;
@@ -365,7 +375,8 @@ CMD_ANSWER startCtrld(boost::archive::text_iarchive &ia)
 
     std::stringstream arguments;
     arguments << "run";
-    arguments << " --listen=" + cmd.ip + ":53";
+    arguments << " --daemon";
+    arguments << " --listen=127.0.0.1:53";
     arguments << " --primary_upstream=" + cmd.upstream1;
     if (!cmd.upstream2.empty()) {
         arguments << " --secondary_upstream=" + cmd.upstream2;
@@ -397,8 +408,7 @@ CMD_ANSWER startCtrld(boost::archive::text_iarchive &ia)
         Logger::instance().out("ctrld executable signature incorrect: %s", sigCheck.lastError().c_str());
         answer.executed = 0;
     } else {
-        answer.cmdId = ExecuteCmd::instance().execute(fullCmd, std::string());
-        answer.executed = 1;
+        answer.executed = Utils::executeCommand(fullCmd) ? 0 : 1;
     }
     return answer;
 }
@@ -437,7 +447,7 @@ CMD_ANSWER startStunnel(boost::archive::text_iarchive &ia)
         Logger::instance().out("stunnel executable signature incorrect: %s", sigCheck.lastError().c_str());
         answer.executed = 0;
     } else {
-        answer.cmdId = ExecuteCmd::instance().execute(fullCmd, std::string());
+        answer.cmdId = ExecuteCmd::instance().execute(fullCmd, std::string(), true);
         answer.executed = 1;
     }
     return answer;
@@ -473,7 +483,7 @@ CMD_ANSWER startWstunnel(boost::archive::text_iarchive &ia)
         Logger::instance().out("wstunnel executable signature incorrect: %s", sigCheck.lastError().c_str());
         answer.executed = 0;
     } else {
-        answer.cmdId = ExecuteCmd::instance().execute(fullCmd, std::string());
+        answer.cmdId = ExecuteCmd::instance().execute(fullCmd, std::string(), true);
         answer.executed = 1;
     }
     return answer;