Skip to content

Commit

Permalink
(macOS) New Firewall option: Bypass Apple Services
Browse files Browse the repository at this point in the history
  • Loading branch information
stenya committed Oct 2, 2024
1 parent 9ecae67 commit c44b9f1
Show file tree
Hide file tree
Showing 15 changed files with 188 additions and 15 deletions.
42 changes: 42 additions & 0 deletions daemon/References/macOS/etc/firewall.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
# sudo pfctl -s rules
# Show all rules for "ivpn_firewall" anchor
# sudo pfctl -a "ivpn_firewall" -s rules
# sudo pfctl -a "ivpn_firewall/apple_services" -s rules
# sudo pfctl -a "ivpn_firewall/tunnel" -s rules
# sudo pfctl -a "ivpn_firewall/dns" -s rules
# Show table
Expand Down Expand Up @@ -101,6 +102,7 @@ function enable_firewall {
pass out inet proto udp from 0.0.0.0 to 255.255.255.255 port = 67
pass in proto udp from any to any port = 68
anchor apple_services all
anchor tunnel all
anchor dns all
_EOF
Expand Down Expand Up @@ -131,6 +133,8 @@ function disable_firewall {
pfctl -a ${ANCHOR_NAME} -t ${EXCEPTIONS_TABLE} -T flush
pfctl -a ${ANCHOR_NAME} -t ${USER_EXCEPTIONS_TABLE} -T flush

# remove all rules in tun anchor
pfctl -a ${ANCHOR_NAME}/apple_services -Fr
# remove all rules in tun anchor
pfctl -a ${ANCHOR_NAME}/tunnel -Fr
# remove all rules in dns anchor
Expand Down Expand Up @@ -187,6 +191,36 @@ _EOF
block drop out proto tcp from any to ! ${DNS} port = 53
_EOF
}
####
function allow_apple_services_on {
# Ports: https://support.apple.com/en-us/103229
# 443 TCP - Secure Sockets Layer (SSL or HTTPS): TLS websites, iTunes Store, Software Update, Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, Bookmarks), iCloud backup and apps (Calendars, Contacts, Find My iPhone, Find My Friends, Mail, iMessage, Documents & Photo Stream), iCloud Key Value Store (KVS), AirPlay, macOS Internet Recovery, Dictation, Siri, Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration), Push notifications (if necessary)
# 2197 TCP - Apple Push Notification Service (APNS)
# 5223 TCP - Apple Push Notification Service (APNS): iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream
#
# IP addresses: https://support.apple.com/en-us/HT210060
pfctl -a ${ANCHOR_NAME}/apple_services -f - <<_EOF
pass out quick proto tcp from any to 17.249.0.0/16 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 17.252.0.0/16 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 17.57.144.0/22 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 17.188.128.0/18 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 17.188.20.0/23 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 2620:149:a44::/48 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 2403:300:a42::/48 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 2403:300:a51::/48 port { 443, 2197, 5223 } flags any keep state
pass out quick proto tcp from any to 2a01:b740:a42::/48 port { 443, 2197, 5223 } flags any keep state
_EOF
# Flush the state table (NAT and filter)
sudo pfctl -Fs
}

function allow_apple_services_off {
pfctl -a ${ANCHOR_NAME}/apple_services -Fr
# Flush the state table (NAT and filter)
sudo pfctl -Fs
}
####

function main {

Expand Down Expand Up @@ -249,6 +283,14 @@ function main {
get_firewall_enabled || return 0

set_dns $2

elif [[ $1 = "-allow_apple_services_on" ]]; then

allow_apple_services_on

#return 0
elif [[ $1 = "-allow_apple_services_off" ]]; then
allow_apple_services_off
else
echo "Unknown command"
return 2
Expand Down
15 changes: 15 additions & 0 deletions daemon/protocol/protocol.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ type Service interface {
SetKillSwitchAllowLANMulticast(isAllowLanMulticast bool) error
SetKillSwitchAllowLAN(isAllowLan bool) error
SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error
SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error
SetKillSwitchUserExceptions(exceptions string, ignoreParsingErrors bool) error

GetConnectionParams() service_types.ConnectionParams
Expand Down Expand Up @@ -706,6 +707,20 @@ func (p *Protocol) processRequest(conn net.Conn, message string) {
p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler

case "KillSwitchSetAllowAppleServices":
var req types.KillSwitchSetAllowAppleServices
if err := json.Unmarshal(messageData, &req); err != nil {
p.sendErrorResponse(conn, reqCmd, err)
break
}
if err := p._service.SetKillSwitchAllowAppleServices(req.IsAllowAppleServices); err != nil {
p.sendErrorResponse(conn, reqCmd, err)
break
}
// send the response to the requestor
p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler

// TODO: avoid using raw key as a string
// NOTE: please, use 'SetUserPreferences' for future extensions
case "SetPreference":
Expand Down
5 changes: 5 additions & 0 deletions daemon/protocol/types/requests.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ type KillSwitchSetAllowApiServers struct {
IsAllowApiServers bool
}

type KillSwitchSetAllowAppleServices struct {
RequestBase
IsAllowAppleServices bool
}

// KillSwitchSetEnabled request to enable\disable kill-switch
type KillSwitchSetEnabled struct {
RequestBase
Expand Down
6 changes: 6 additions & 0 deletions daemon/service/firewall/firewall.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,12 @@ func RemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent bool
return err
}

func AllowAppleServices(isAllowAPIServers bool) error {
mutex.Lock()
defer mutex.Unlock()
return implAllowAppleServices(isAllowAPIServers)
}

// AllowLAN - allow/forbid LAN communication
func AllowLAN(allowLan bool, allowLanMulticast bool) error {
mutex.Lock()
Expand Down
20 changes: 19 additions & 1 deletion daemon/service/firewall/firewall_darwin.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,8 @@ import (
var (
// key: is a string representation of allowed IP
// value: true - if exception rule is persistant (persistant, means will stay available even client is disconnected)
allowedHosts map[string]bool
allowedHosts map[string]bool
allowAppleServices bool
)

func init() {
Expand Down Expand Up @@ -132,6 +133,15 @@ func implClientDisconnected() error {
return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
}

func implAllowAppleServices(isAllowAPIServers bool) error {
allowAppleServices = isAllowAPIServers
if allowAppleServices {
return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_on")
} else {
return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_off")
}
}

func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
// the rule should stay unchanged independently from VPN connection state
isPersistent := true
Expand Down Expand Up @@ -271,6 +281,14 @@ func reApplyExceptions() error {
err = err2
}
}

err3 := implAllowAppleServices(allowAppleServices)
if err3 != nil {
log.Error(err3)
if err == nil {
err = err3
}
}
return err
}

Expand Down
4 changes: 4 additions & 0 deletions daemon/service/firewall/firewall_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,10 @@ func implClientDisconnected() error {
return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
}

func implAllowAppleServices(isAllowAPIServers bool) error {
return nil // do nothing for Linux
}

func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
return doAllowLAN(isAllowLAN, isAllowLanMulticast)
}
Expand Down
4 changes: 4 additions & 0 deletions daemon/service/firewall/firewall_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,10 @@ func implRemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent
return nil
}

func implAllowAppleServices(isAllowAPIServers bool) error {
return nil // do nothing for Windows
}

// AllowLAN - allow/forbid LAN communication
func implAllowLAN(allowLan bool, allowLanMulticast bool) error {

Expand Down
1 change: 1 addition & 0 deletions daemon/service/preferences/preferences.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ type Preferences struct {
IsFwAllowLAN bool
IsFwAllowLANMulticast bool
IsFwAllowApiServers bool
IsFwAllowAppleServices bool // Bypass VPN for Apple Services Traffic. Enabling this option allows traffic from Apple services to bypass the IVPN Firewall, permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
FwUserExceptions string // Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
IsStopOnClientDisconnect bool

Expand Down
32 changes: 24 additions & 8 deletions daemon/service/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,10 @@ func (s *Service) init() error {
log.Error("Failed to initialize firewall with AllowLAN preference value: ", err)
}

//log.Info("Applying firewal exceptions (user configuration)")
if err := firewall.AllowAppleServices(s._preferences.IsFwAllowAppleServices); err != nil {
log.Error("Failed to initialize firewall with AppleServices preference value: ", err)
}

if err := firewall.SetUserExceptions(s._preferences.FwUserExceptions, true); err != nil {
log.Error("Failed to apply firewall exceptions: ", err)
}
Expand Down Expand Up @@ -1077,13 +1080,14 @@ func (s *Service) KillSwitchState() (status types.KillSwitchStatus, err error) {
enabled, isLanAllowed, _, err := firewall.GetState()

return types.KillSwitchStatus{
IsEnabled: enabled,
IsPersistent: prefs.IsFwPersistant,
IsAllowLAN: prefs.IsFwAllowLAN,
IsAllowMulticast: prefs.IsFwAllowLANMulticast,
IsAllowApiServers: prefs.IsFwAllowApiServers,
UserExceptions: prefs.FwUserExceptions,
StateLanAllowed: isLanAllowed,
IsEnabled: enabled,
IsPersistent: prefs.IsFwPersistant,
IsAllowLAN: prefs.IsFwAllowLAN,
IsAllowMulticast: prefs.IsFwAllowLANMulticast,
IsAllowApiServers: prefs.IsFwAllowApiServers,
IsAllowAppleServices: prefs.IsFwAllowAppleServices,
UserExceptions: prefs.FwUserExceptions,
StateLanAllowed: isLanAllowed,
}, err
}

Expand Down Expand Up @@ -1161,6 +1165,18 @@ func (s *Service) SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error {
return nil
}

func (s *Service) SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error {
prefs := s._preferences
prefs.IsFwAllowAppleServices = isAllowAppleServices
s.setPreferences(prefs)

err := firewall.AllowAppleServices(isAllowAppleServices)
if err == nil {
s.onKillSwitchStateChanged()
}
return err
}

// SetKillSwitchUserExceptions set ip/mask to be excluded from FW block
// Parameters:
// - exceptions - comma separated list of IP addresses in format: x.x.x.x[/xx]
Expand Down
13 changes: 7 additions & 6 deletions daemon/service/types/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@
package types

type KillSwitchStatus struct {
IsEnabled bool // FW state
IsPersistent bool // configuration: true - when persistent
IsAllowLAN bool // configuration: 'Allow LAN'
IsAllowMulticast bool // configuration: 'Allow multicast'
IsAllowApiServers bool // configuration: 'Allow API servers'
UserExceptions string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
IsEnabled bool // FW state
IsPersistent bool // configuration: true - when persistent
IsAllowLAN bool // configuration: 'Allow LAN'
IsAllowMulticast bool // configuration: 'Allow multicast'
IsAllowApiServers bool // configuration: 'Allow API servers'
IsAllowAppleServices bool // configuration: 'Bypass Apple services'
UserExceptions string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]

StateLanAllowed bool // real state of 'Allow LAN'
}
40 changes: 40 additions & 0 deletions ui/src/components/settings/settings-firewall.vue
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,38 @@
>
</div>

<!-- Bypass apple services -->
<div class="param" tabindex="0">
<input
type="checkbox"
id="firewallBypassAppleServices"
v-model="firewallBypassAppleServices"
/>
<label class="defColor" for="firewallBypassAppleServices"
>Bypass VPN for Apple Services Traffic</label
>
<button class="noBordersBtn flexRow" title="Help" v-on:click="$refs.helpBypassAppleServices.showModal()">
<img src="@/assets/question.svg" />
</button>
<ComponentDialog ref="helpBypassAppleServices" header="Info">
<div>
<p>
Since macOS Sequoia (15.0), certain Apple apps (like Messages) may not function correctly
when the IVPN Firewall is enabled because Apple does not respect the system's default routing configuration.
</p>
<p>
Enabling this option allows traffic from Apple services to bypass the IVPN Firewall,
permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
</p>
<div class="settingsGrayLongDescriptionFont">
This is a temporary workaround until Apple resolves the issue.
<br />
Note! This option is applicable only for the WireGuard protocol.
</div>
</div>
</ComponentDialog>
</div>

<!-- On-demand Firewall -->
<div class="settingsBoldFont" tabindex="0">On-demand Firewall:</div>

Expand Down Expand Up @@ -288,6 +320,14 @@ export default {
await sender.KillSwitchSetAllowApiServers(value);
},
},
firewallBypassAppleServices: {
get() {
return this.$store.state.vpnState.firewallState.IsAllowAppleServices;
},
async set(value) {
await sender.KillSwitchSetAllowAppleServices(value);
},
},
firewallAllowLan: {
get() {
return this.$store.state.vpnState.firewallState.IsAllowLAN;
Expand Down
8 changes: 8 additions & 0 deletions ui/src/daemon-client/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ const daemonRequests = Object.freeze({
KillSwitchGetStatus: "KillSwitchGetStatus",
KillSwitchSetEnabled: "KillSwitchSetEnabled",
KillSwitchSetAllowApiServers: "KillSwitchSetAllowApiServers",
KillSwitchSetAllowAppleServices: "KillSwitchSetAllowAppleServices",
KillSwitchSetAllowLANMulticast: "KillSwitchSetAllowLANMulticast",
KillSwitchSetAllowLAN: "KillSwitchSetAllowLAN",
KillSwitchSetIsPersistent: "KillSwitchSetIsPersistent",
Expand Down Expand Up @@ -1439,6 +1440,12 @@ async function KillSwitchSetAllowApiServers(IsAllowApiServers) {
IsAllowApiServers,
});
}
async function KillSwitchSetAllowAppleServices(IsAllowAppleServices) {
await sendRecv({
Command: daemonRequests.KillSwitchSetAllowAppleServices,
IsAllowAppleServices,
});
}

async function KillSwitchSetAllowLANMulticast(AllowLANMulticast) {
await sendRecv({
Expand Down Expand Up @@ -1907,6 +1914,7 @@ export default {

EnableFirewall,
KillSwitchSetAllowApiServers,
KillSwitchSetAllowAppleServices,
KillSwitchSetAllowLANMulticast,
KillSwitchSetAllowLAN,
KillSwitchSetIsPersistent,
Expand Down
6 changes: 6 additions & 0 deletions ui/src/ipc/main-listener.js
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,12 @@ ipcMain.handle(
return await client.KillSwitchSetAllowApiServers(enable);
}
);
ipcMain.handle(
"renderer-request-KillSwitchSetAllowAppleServices",
async (event, enable) => {
return await client.KillSwitchSetAllowAppleServices(enable);
}
);
ipcMain.handle(
"renderer-request-KillSwitchSetAllowLANMulticast",
async (event, enable) => {
Expand Down
6 changes: 6 additions & 0 deletions ui/src/ipc/renderer-sender.js
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,12 @@ export default {
isEnable
);
},
KillSwitchSetAllowAppleServices: async (isEnable) => {
return await invoke(
"renderer-request-KillSwitchSetAllowAppleServices",
isEnable
);
},
KillSwitchSetAllowLANMulticast: async (isEnable) => {
return await invoke(
"renderer-request-KillSwitchSetAllowLANMulticast",
Expand Down
1 change: 1 addition & 0 deletions ui/src/store/module-vpn-state.js
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ export default {
IsAllowLAN: null,
IsAllowMulticast: null,
IsAllowApiServers: null,
IsAllowAppleServices: null,
UserExceptions: "",
},

Expand Down

0 comments on commit c44b9f1

Please sign in to comment.