From 460cab9572751f4ec6ee9f68ab48d56595b06d73 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 22 Feb 2019 13:33:35 +0100 Subject: Allow users to explicitly change allowAF independent from local LAN access --- .../main/java/de/blinkt/openvpn/VpnProfile.java | 55 ++++++++++++---------- .../de/blinkt/openvpn/core/OpenVPNService.java | 2 +- .../blinkt/openvpn/fragments/Settings_Routing.java | 13 ++++- main/src/main/res/values/strings.xml | 2 + main/src/main/res/xml/vpn_routing.xml | 5 ++ 5 files changed, 51 insertions(+), 26 deletions(-) diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index cc8ba03a..cdbe97d9 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -12,7 +12,6 @@ import android.content.SharedPreferences; import android.content.pm.PackageInfo; import android.content.pm.PackageManager; import android.os.Build; -import android.os.RemoteException; import android.preference.PreferenceManager; import android.security.KeyChain; import android.security.KeyChainException; @@ -61,7 +60,7 @@ public class VpnProfile implements Serializable, Cloneable { public static final String INLINE_TAG = "[[INLINE]]"; public static final String DISPLAYNAME_TAG = "[[NAME]]"; public static final int MAXLOGLEVEL = 4; - public static final int CURRENT_PROFILE_VERSION = 7; + public static final int CURRENT_PROFILE_VERSION = 8; public static final int DEFAULT_MSSFIX_SIZE = 1280; public static final int TYPE_CERTIFICATES = 0; public static final int TYPE_PKCS12 = 1; @@ -164,6 +163,7 @@ public class VpnProfile implements Serializable, Cloneable { private UUID mUuid; private int mProfileVersion; + public boolean mBlockUnusedAddressFamilies =true; public VpnProfile(String name) { mUuid = UUID.randomUUID(); @@ -275,29 +275,36 @@ public class VpnProfile implements Serializable, Cloneable { } public void upgradeProfile() { - if (mProfileVersion < 2) { - /* default to the behaviour the OS used */ - mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT; - } - - if (mProfileVersion < 4) { - moveOptionsToConnection(); - mAllowedAppsVpnAreDisallowed = true; - } - if (mAllowedAppsVpn == null) - mAllowedAppsVpn = new HashSet<>(); - if (mConnections == null) - mConnections = new Connection[0]; - - if (mProfileVersion < 6) { - if (TextUtils.isEmpty(mProfileCreator)) - mUserEditable = true; - } - if (mProfileVersion < 7) { - for (Connection c : mConnections) - if (c.mProxyType == null) - c.mProxyType = Connection.ProxyType.NONE; + /* Fallthrough is intended here */ + switch(mProfileVersion) { + case 0: + case 1: + /* default to the behaviour the OS used */ + mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT; + case 2: + case 3: + moveOptionsToConnection(); + mAllowedAppsVpnAreDisallowed = true; + + if (mAllowedAppsVpn == null) + mAllowedAppsVpn = new HashSet<>(); + + if (mConnections == null) + mConnections = new Connection[0]; + case 4: + case 5: + + if (TextUtils.isEmpty(mProfileCreator)) + mUserEditable = true; + case 6: + for (Connection c : mConnections) + if (c.mProxyType == null) + c.mProxyType = Connection.ProxyType.NONE; + case 7: + if (mAllowAppVpnBypass) + mBlockUnusedAddressFamilies = !mAllowAppVpnBypass; + default: } mProfileVersion = CURRENT_PROFILE_VERSION; diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java index 5612b55f..ec29cb3e 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java @@ -725,7 +725,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac VpnStatus.logInfo(R.string.last_openvpn_tun_config); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN) { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && !mProfile.mBlockUnusedAddressFamilies) { allowAllAFFamilies(builder); } diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java b/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java index 71d379d4..53f88bbf 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/Settings_Routing.java @@ -4,6 +4,7 @@ */ package de.blinkt.openvpn.fragments; +import android.os.Build; import android.os.Bundle; import android.preference.CheckBoxPreference; import android.preference.EditTextPreference; @@ -21,8 +22,9 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr private CheckBoxPreference mLocalVPNAccess; private EditTextPreference mExcludedRoutes; private EditTextPreference mExcludedRoutesv6; + private CheckBoxPreference mBlockUnusedAF; - @Override + @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); @@ -38,10 +40,16 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr mRouteNoPull = (CheckBoxPreference) findPreference("routenopull"); mLocalVPNAccess = (CheckBoxPreference) findPreference("unblockLocal"); + mBlockUnusedAF = (CheckBoxPreference) findPreference("blockUnusedAF"); + mCustomRoutes.setOnPreferenceChangeListener(this); mCustomRoutesv6.setOnPreferenceChangeListener(this); mExcludedRoutes.setOnPreferenceChangeListener(this); mExcludedRoutesv6.setOnPreferenceChangeListener(this); + mBlockUnusedAF.setOnPreferenceChangeListener(this); + + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) + getPreferenceScreen().removePreference(mBlockUnusedAF); loadSettings(); } @@ -61,6 +69,8 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr mRouteNoPull.setChecked(mProfile.mRoutenopull); mLocalVPNAccess.setChecked(mProfile.mAllowLocalLAN); + mBlockUnusedAF.setChecked(mProfile.mBlockUnusedAddressFamilies); + // Sets Summary onPreferenceChange(mCustomRoutes, mCustomRoutes.getText()); onPreferenceChange(mCustomRoutesv6, mCustomRoutesv6.getText()); @@ -81,6 +91,7 @@ public class Settings_Routing extends OpenVpnPreferencesFragment implements OnPr mProfile.mAllowLocalLAN =mLocalVPNAccess.isChecked(); mProfile.mExcludedRoutes = mExcludedRoutes.getText(); mProfile.mExcludedRoutesv6 = mExcludedRoutesv6.getText(); + mProfile.mBlockUnusedAddressFamilies = mBlockUnusedAF.isChecked(); } @Override diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index d1f45a98..a495cd48 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -489,5 +489,7 @@ External Authneticator not configured Block non VPN connection (\"Killswitch\") It is often desired to block connections without VPN. Other apps often use markting terms like \"Killswitch\" or \"Seamless tunnel\" for this feature. OpenVPN and this app offer persist-tun, a feature to implement this functionality.<p>The problem with all these methods offered by apps is that they can only provide best effort and are no complete solutions. On boot, app crashing and other corner cases the app cannot ensure that this block of non VPN connection works. Thus giving the user a false sense of security.<p>The <b>only</b> reliable way to ensure non VPN connections are blocked is to use Android 8.0 or later and use the \"block connections without VPN\" setting that can be found under Settings > Network & Internet > Advanced/VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN + This option instructs Android to not allow protocols (IPv4/IPv6) if the VPN does not set any IPv4 or IPv6 addresses. + Block IPv6 (or IPv4) if not used by the VPN diff --git a/main/src/main/res/xml/vpn_routing.xml b/main/src/main/res/xml/vpn_routing.xml index 1857ba83..4b662b25 100644 --- a/main/src/main/res/xml/vpn_routing.xml +++ b/main/src/main/res/xml/vpn_routing.xml @@ -17,6 +17,11 @@ android:key="unblockLocal" /> +