Allow users to explicitly change allowAF independent from local LAN

access
author: Arne Schwabe <arne@openvpn.net> 2019-02-22 13:33:35 +0100
committer: Arne Schwabe <arne@openvpn.net> 2019-02-22 13:33:35 +0100
commit: 460cab9572751f4ec6ee9f68ab48d56595b06d73 (patch)
tree: 43db24afc7c8962a4e1d908a383e2ec792ad7655
parent: 82484ed5851dd79fefec1090b9d9fe83608b5dc3 (diff)
5 files changed, 51 insertions, 26 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index cc8ba03a..cdbe97d9 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -12,7 +12,6 @@ import android.content.SharedPreferences;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
 import android.os.Build;
-import android.os.RemoteException;
 import android.preference.PreferenceManager;
 import android.security.KeyChain;
 import android.security.KeyChainException;
@@ -61,7 +60,7 @@ public class VpnProfile implements Serializable, Cloneable {
     public static final String INLINE_TAG = "[[INLINE]]";
     public static final String DISPLAYNAME_TAG = "[[NAME]]";
     public static final int MAXLOGLEVEL = 4;
-    public static final int CURRENT_PROFILE_VERSION = 7;
+    public static final int CURRENT_PROFILE_VERSION = 8;
     public static final int DEFAULT_MSSFIX_SIZE = 1280;
     public static final int TYPE_CERTIFICATES = 0;
     public static final int TYPE_PKCS12 = 1;
@@ -164,6 +163,7 @@ public class VpnProfile implements Serializable, Cloneable {
     private UUID mUuid;
     private int mProfileVersion;
 
+    public boolean mBlockUnusedAddressFamilies =true;
 
     public VpnProfile(String name) {
         mUuid = UUID.randomUUID();
@@ -275,29 +275,36 @@ public class VpnProfile implements Serializable, Cloneable {
     }
 
     public void upgradeProfile() {
-        if (mProfileVersion < 2) {
-            /* default to the behaviour the OS used */
-            mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT;
-        }
-
-        if (mProfileVersion < 4) {
-            moveOptionsToConnection();
-            mAllowedAppsVpnAreDisallowed = true;
-        }
-        if (mAllowedAppsVpn == null)
-            mAllowedAppsVpn = new HashSet<>();
 
-        if (mConnections == null)
-            mConnections = new Connection[0];
-
-        if (mProfileVersion < 6) {
-            if (TextUtils.isEmpty(mProfileCreator))
-                mUserEditable = true;
-        }
-        if (mProfileVersion < 7) {
-            for (Connection c : mConnections)
-                if (c.mProxyType == null)
-                    c.mProxyType = Connection.ProxyType.NONE;
+        /* Fallthrough is intended here */
+        switch(mProfileVersion) {
+            case 0:
+            case 1:
+                /* default to the behaviour the OS used */
+                mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT;
+            case 2:
+            case 3:
+                moveOptionsToConnection();
+                mAllowedAppsVpnAreDisallowed = true;
+
+                if (mAllowedAppsVpn == null)
+                    mAllowedAppsVpn = new HashSet<>();
+
+                if (mConnections == null)
+                    mConnections = new Connection[0];
+            case 4:
+            case 5:
+
+                if (TextUtils.isEmpty(mProfileCreator))
+                    mUserEditable = true;
+            case 6:
+                for (Connection c : mConnections)
+                    if (c.mProxyType == null)
+                        c.mProxyType = Connection.ProxyType.NONE;
+            case 7:
+                if (mAllowAppVpnBypass)
+                    mBlockUnusedAddressFamilies = !mAllowAppVpnBypass;
+            default:
         }
 
         mProfileVersion = CURRENT_PROFILE_VERSION;
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
index 5612b55f..ec29cb3e 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -725,7 +725,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
 
         VpnStatus.logInfo(R.string.last_openvpn_tun_config);
 
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && !mProfile.mBlockUnusedAddressFamilies) {
             allowAllAFFamilies(builder);
         }
 
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java b/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java
index 71d379d4..53f88bbf 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java
@@ -4,6 +4,7 @@
  */
 
 package de.blinkt.openvpn.fragments;
+import android.os.Build;
 import android.os.Bundle;
 import android.preference.CheckBoxPreference;
 import android.preference.EditTextPreference;
@@ -21,8 +22,9 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr
     private CheckBoxPreference mLocalVPNAccess;
     private EditTextPreference mExcludedRoutes;
     private EditTextPreference mExcludedRoutesv6;
+	private CheckBoxPreference mBlockUnusedAF;
 
-    @Override
+	@Override
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 
@@ -38,10 +40,16 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr
 		mRouteNoPull = (CheckBoxPreference) findPreference("routenopull");
         mLocalVPNAccess = (CheckBoxPreference) findPreference("unblockLocal");
 
+		mBlockUnusedAF = (CheckBoxPreference) findPreference("blockUnusedAF");
+
 		mCustomRoutes.setOnPreferenceChangeListener(this);
 		mCustomRoutesv6.setOnPreferenceChangeListener(this);
         mExcludedRoutes.setOnPreferenceChangeListener(this);
         mExcludedRoutesv6.setOnPreferenceChangeListener(this);
+		mBlockUnusedAF.setOnPreferenceChangeListener(this);
+
+		if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP)
+			getPreferenceScreen().removePreference(mBlockUnusedAF);
 
 		loadSettings();
 	}
@@ -61,6 +69,8 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr
 		mRouteNoPull.setChecked(mProfile.mRoutenopull);
         mLocalVPNAccess.setChecked(mProfile.mAllowLocalLAN);
 
+        mBlockUnusedAF.setChecked(mProfile.mBlockUnusedAddressFamilies);
+
 		// Sets Summary
 		onPreferenceChange(mCustomRoutes, mCustomRoutes.getText());
 		onPreferenceChange(mCustomRoutesv6, mCustomRoutesv6.getText());
@@ -81,6 +91,7 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr
         mProfile.mAllowLocalLAN =mLocalVPNAccess.isChecked();
         mProfile.mExcludedRoutes = mExcludedRoutes.getText();
         mProfile.mExcludedRoutesv6 = mExcludedRoutesv6.getText();
+        mProfile.mBlockUnusedAddressFamilies = mBlockUnusedAF.isChecked();
 	}
 
 	@Override
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index d1f45a98..a495cd48 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -489,5 +489,7 @@
     <string name="extauth_not_configured">External Authneticator not configured</string>
     <string name="faq_killswitch_title">Block non VPN connection (\"Killswitch\")</string>
     <string name="faq_killswitch">It is often desired to block connections without VPN. Other apps often use markting terms like \"Killswitch\" or \"Seamless tunnel\" for this feature. OpenVPN and this app offer persist-tun, a feature to implement this functionality.&lt;p>The problem with all these methods offered by apps is that they can only provide best effort and are no complete solutions. On boot, app crashing and other corner cases the app cannot ensure that this block of non VPN connection works. Thus giving the user a false sense of security.&lt;p>The &lt;b>only&lt;/b> reliable way to ensure non VPN connections are blocked is to use Android 8.0 or later and use the \"block connections without VPN\" setting that can be found under Settings > Network &amp; Internet > Advanced/VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN</string>
+    <string name="summary_block_address_families">This option instructs Android to not allow protocols (IPv4/IPv6) if the VPN does not set any IPv4 or IPv6 addresses.</string>
+    <string name="title_block_address_families">Block IPv6 (or IPv4) if not used by the VPN</string>
 
 </resources>
diff --git a/main/src/main/res/xml/vpn_routing.xml b/main/src/main/res/xml/vpn_routing.xml
index 1857ba83..4b662b25 100644
--- a/main/src/main/res/xml/vpn_routing.xml
+++ b/main/src/main/res/xml/vpn_routing.xml
@@ -17,6 +17,11 @@
         android:key="unblockLocal"
     />
 
+    <CheckBoxPreference
+        android:title="@string/title_block_address_families"
+        android:key="blockUnusedAF"
+        android:summary="@string/summary_block_address_families"
+        />
     <PreferenceCategory android:title="@string/ipv4" >
         <CheckBoxPreference
             android:disableDependentsState="true"
author	Arne Schwabe <arne@openvpn.net>	2019-02-22 13:33:35 +0100
committer	Arne Schwabe <arne@openvpn.net>	2019-02-22 13:33:35 +0100
commit	460cab9572751f4ec6ee9f68ab48d56595b06d73 (patch)
tree	43db24afc7c8962a4e1d908a383e2ec792ad7655
parent	82484ed5851dd79fefec1090b9d9fe83608b5dc3 (diff)