Refactor firewall rules for LAN access

[stenya]

Feature request

Description

Settings → IVPN Firewall → Allow LAN Traffic when IVPN Firewall is enabled

When this option is enabled, the VPN daemon inspects all currently available local interfaces and permits communication within identified networks using network mask information.

Describe the solution you'd like

Rather than focusing on the specific local networks the user is connected to, I suggest allowing all non-routable IP ranges when the "Allow LAN Traffic" feature is enabled:

Network Mask	Type	Explanation	Reference Document
10.0.0.0/8	IPv4 Private Address	Used for private networks	RFC 1918
172.16.0.0/12	IPv4 Private Address	Used for private networks	RFC 1918
192.168.0.0/16	IPv4 Private Address	Used for private networks	RFC 1918
169.254.0.0/16	IPv4 Auto-IP	Used when DHCP fails, for local communication	RFC 3927
fc00::/7	IPv6 Unique Local	Used for private networks (ULA)	RFC 4193
fe80::/10	IPv6 Link-Local	Used for local communication, not routable	RFC 4291

These ranges comprehensively cover all potential local interface ranges a user might connect to. This approach ensures users can access local networks regardless of changes in their network configurations.

Note: we need to add a '?' popup after the option “Allow LAN traffic when IVPN Firewall is enabled” with the text “This includes traffic to all private address spaces in RFC 1918, 3927, 4193, 4291”.

[stenya]

@gorkapernas v3.11.18

[gorkapernas]

Verified on version 3.12.0, tested LAN on all platforms, with OpenVPN and WireGuard.

• macOS -> capturing traffic packets with Wireshark while using a macOS and an iOS device when communicating to each other. For instance, when pinging the local IP address of the iOS device on macOS (both in the same local network), the iOS and macOS network packets are both source and destination in Wireshark, however if disabling Allow LAN Traffic when IVPN Firewall is enabled on macOS, the ping request on macOS times-out. LAN can also be tested with Airdrop, when Allow LAN Traffic when IVPN Firewall is enabled is disabled, macOS cannot find other devices in the same local network, but when Allow LAN Traffic when IVPN Firewall is enabled is enabled, Airdrop works as expected.

• Windows and Linux -> LAN file sharing. Windows to Android, when connected to the VPN + FW ON and Allow LAN Traffic when IVPN Firewall is enabled is disabled, it is not possible to connect to the host device (Windows) and same the other way around, however if Allow LAN Traffic when IVPN Firewall is enabled is enabled, connection to the host device can be established successfully. Ubuntu to Fedora and vice versa, when connected to the VPN + FW ON and Allow LAN Traffic when IVPN Firewall is enabled is disabled, it is not possible to connect to the host device, however if Allow LAN Traffic when IVPN Firewall is enabled is enabled, connection to the host device can be established successfully.

I also confirm that the tooltip next to the option “Allow LAN traffic when IVPN Firewall is enabled” has been implemented as described in this ticket.

This is good to go.

[stenya]

v3.12.0 released