Open gzz2000 opened 4 years ago
emanuele-f
commented
4 years ago It should be possible to do this programmatically via the windows api (e.g. https://docs.microsoft.com/en-us/windows/win32/api/netlistmgr/nn-netlistmgr-inetwork). Do you think that the n2n network should be always identified as private or it depends on the user needs (so we need an option to chose this) ? Can you provide a patch to implement such functionality?
gzz2000
commented
4 years ago If it's identified by windows, then windows will pop up a window asking the user to decide the proper type of the newly discovered network. So maybe there's no need to provide any options inside n2n.
However, it seems that the link you provided does similar thing as the powershell script workaround I mentioned. It may set the network to private, but it isn't making the network identified by windows. Well I don't know how to make it clear... So it also suffer from the inconvenience, unsafety and inelegance mentioned before..
What I'm looking for is a way to make n2n cooperate with TAP to provide a network that can be set to public or private in windows settings. The current implementation seems is making the virtual network a "stray" one.
emanuele-f
commented
4 years ago Oh I understand the problem. It seems like such "unidentified" state occurs when the default route is not going throught the network (from https://gist.github.com/Cjones90/0ccb6d1b9c0030132b34).
gzz2000
commented
4 years ago sorry, my limited knowledge about windows' network stack is preventing me from understanding you but it may be possible to do things in n2n like openvpn does?
emanuele-f
commented
4 years ago Sorry my comment above is a bit ambiguous, I mean that I understand your explanation but not the problem itself. Googling the problem it seems like windows does not recognize the network as "identified" because it is not the network interface that you use to reach the internet. I currently don't have an environment to test this on Windows. Putting apart this problem with the unidentified network, another option for you could be to set up network based (e.g. network 192.168.10.0/24 allowed) firewall rules instead of zone based (e.g. private network allowed) firewall rules.
gzz2000
commented
4 years ago Thank you. In fact it's possible for a network to be identified without using it to reach the Internet. For an example, you can try ZeroTier's windows client, they did it. I think they are using a somewhat proprietary virtual network driver to achieve this so I don't know if it's possible when using TAP.
Here's a screenshot on my computer (sorry it's in Chinese)
The virtual network launched by TAP driver works, but has a state called "unidentified network", and thus can't be set to private network. I've set special firewall rules to permit inbound for private network, but it seems that we need to have windows identify the network created by n2n at first. Is it possible to do that? I'm not familiar with TAP, maybe there's something need to be added to the code to register a named network or something like that..
btw, there actually are methods that can set unidentified network to private networks, but it became invalid after restarting the edge client or a system reboot and thus need to be performed again and again. So I think this method is neither safe nor elegant.