From 36938720f3aa4e6d963d73223a614d7ceafbb0b8 Mon Sep 17 00:00:00 2001
From: t-m-w <7275539+t-m-w@users.noreply.github.com>
Date: Mon, 17 Oct 2022 16:47:53 -0400
Subject: [PATCH] Block non-VPN incoming traffic in lockdown mode

Work around AOSP issue that allows incoming traffic from non-VPN
interfaces such as Wi-Fi when VPN is configured to "Block connections
without VPN" (lockdown mode).
---
 .../blinkt/openvpn/core/OpenVPNService.java   | 42 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
index 4b394136b..714058f99 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -93,6 +93,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
     private Shapeshifter shapeshifter;
     private ObfsVpnClient obfsVpnClient;
     private FirewallManager firewallManager;
+    private boolean mIsLockdownEnabled = false;
 
     private final IBinder mBinder = new IOpenVPNServiceInternal.Stub() {
 
@@ -576,10 +577,38 @@ private String getTunConfigString() {
         return cfg;
     }
 
+    public void determineLockdownState() {
+        Builder builder = new Builder();
+
+        try {
+            builder.addAddress(mLocalIP.mIp, mLocalIP.len);
+        } catch (IllegalArgumentException iae) {
+            return;
+        }
+
+        ParcelFileDescriptor tun = null;
+        try {
+            tun = builder.establish();
+            mIsLockdownEnabled = isLockdownEnabledCompat();
+        } catch (Exception e) {
+            VpnStatus.logError(getString(R.string.error) + e.getLocalizedMessage());
+        } finally {
+            if (tun != null) {
+                try {
+                    tun.close();
+                } catch (Exception e) {
+                    VpnStatus.logError(getString(R.string.error) + e.getLocalizedMessage());
+                }
+            }
+        }
+    }
+
     public ParcelFileDescriptor openTun() {
 
         //Debug.startMethodTracing(getExternalFilesDir(null).toString() + "/opentun.trace", 40* 1024 * 1024);
 
+        determineLockdownState();
+
         if (mProfile == null) {
             VpnStatus.logError("Refusing to open tun device without profile.");
             return null;
@@ -641,6 +670,15 @@ public ParcelFileDescriptor openTun() {
             builder.setMtu(mMtu);
         }
 
+        // Don't exclude local addresses at all in lockdown mode.
+        // Otherwise, incoming traffic can still bypass lockdown (AOSP quirk/bug).
+        if (mIsLockdownEnabled) {
+            mRoutes.clear();
+            mRoutesv6.clear();
+            addRoute(new CIDRIP("0.0.0.0", 0), true);
+            addRoutev6("::/0", true);
+        }
+
         Collection<IpAddress> positiveIPv4Routes = mRoutes.getPositiveIPList();
         Collection<IpAddress> positiveIPv6Routes = mRoutesv6.getPositiveIPList();
 
@@ -715,7 +753,7 @@ public ParcelFileDescriptor openTun() {
             ipv6info = mLocalIPv6;
         }
 
-        if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && isLockdownEnabledCompat())
+        if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && mIsLockdownEnabled)
         {
             VpnStatus.logInfo("VPN lockdown enabled (do not allow apps to bypass VPN) enabled. Route exclusion will not allow apps to bypass VPN (e.g. bypass VPN for local networks)");
         }
@@ -1168,4 +1206,4 @@ public void trigger_url_open(String info) {
         mNotificationManager.notify(notificationId, notification);
         */
     }
-}
\ No newline at end of file
+}