AdguardTeam / VpnLibs

Open bug tracker for AdGuard VPN core library
6 stars 0 forks source link

Do not circumvent Windows Firewall rules #10

Closed ameshkov closed 1 year ago

ameshkov commented 3 years ago

That's an interesting problem. The way it's implemented right now, AG will ignore Windows FW rules since all the traffic would look like it's originated from AG VPN.

We should look for a way to solve this. In the worst-case scenario, we'll have to emulate these rules ourselves.

RalMay commented 3 years ago

Windows outgoing FW is about blocking destination addresses(/ports/[whatsoever]). So it's not that the traffic "looked like originating from AG-VPN" but that it is directed to a singular 'clean' (non-blocked) IP address (your server). Regular VPNs (tun/tap) use Win mechanisms, yours doesn't.

Unfortunately I do not see how you would circumvent your "worst case scenario" if you wanted to respect Win FW rules.

RalMay commented 3 years ago

Meanwhile you could just implement one of the standard VPN protocols so privacy oriented users could just use the native client of that instead the AG VPN client - all classic VPNs work with network interfaces. Wireguard may be a good solution bc it's light on resources, AFAIK relatively easy to implement at server side and native clients are available for most of the common OSes. 2nd advantage: All users with clients other than Win/iOS/Android could instantly use AG VPN,

sfionov commented 1 year ago

AG VPN 2.2 will have Wintun method, it sets DNS using standard OS methods.

As about classic protocols, we have such feature request.