fix(openvpn/extract): restrict custom openvpn config protocol to tcp or udp internally

- Fix #3179 - I believe specifying tcp4, tcp6 or tcp-client does not change anything versus tcp + remote ip address - I believe specifying udp4 or udp6 does not change anything versus tcp + remote ip address - Simplify firewall code to not account for tcp-client etc.
2026-05-07 04:20:12 +02:00 · 2026-03-04 18:58:33 +00:00
parent e7b25a0d5e
commit c6c3a2bf1b
3 changed files with 24 additions and 20 deletions
@@ -151,9 +151,6 @@ func (c *Config) AcceptOutputTrafficToVPN(ctx context.Context,
 	defaultInterface string, connection models.Connection, remove bool,
 ) error {
 	protocol := connection.Protocol
-	if protocol == "tcp-client" {
-		protocol = "tcp"
-	}
 	instruction := fmt.Sprintf("%s OUTPUT -d %s -o %s -p %s -m %s --dport %d -j ACCEPT",
 		appendOrDelete(remove), connection.IP, defaultInterface, protocol,
 		protocol, connection.Port)
@@ -81,10 +81,7 @@ func extractDataFromLine(line string) (
 	return ip, 0, "", nil
 }

-var (
-	errProtoLineFieldsCount = errors.New("proto line has not 2 fields as expected")
-	errProtocolNotSupported = errors.New("network protocol not supported")
-)
+var errProtoLineFieldsCount = errors.New("proto line has not 2 fields as expected")

 func extractProto(line string) (protocol string, err error) {
 	fields := strings.Fields(line)
@@ -92,13 +89,25 @@ func extractProto(line string) (protocol string, err error) {
 		return "", fmt.Errorf("%w: %s", errProtoLineFieldsCount, line)
 	}

-	switch fields[1] {
-	case "tcp", "tcp4", "tcp6", "tcp-client", "udp", "udp4", "udp6":
-	default:
-		return "", fmt.Errorf("%w: %s", errProtocolNotSupported, fields[1])
-	}
+	return parseProto(fields[1])
+}

-	return fields[1], nil
+var errProtocolNotSupported = errors.New("network protocol not supported")
+
+func parseProto(field string) (protocol string, err error) {
+	switch field {
+	case "tcp", "tcp4", "tcp6", "tcp-client":
+		// tcp4, tcp6 can be assimilated as tcp since the IP version is
+		// determined by the remote IP address version.
+		// tcp-client is a synonym of tcp for OpenVPN 2.5+ acting in client mode.
+		return constants.TCP, nil
+	case "udp", "udp4", "udp6":
+		// udp4, udp6 can be assimilated as udp since the IP version is
+		// determined by the remote IP address version.
+		return constants.UDP, nil
+	default:
+		return "", fmt.Errorf("%w: %s", errProtocolNotSupported, field)
+	}
 }

 var (
@@ -136,11 +145,9 @@ func extractRemote(line string) (ip netip.Addr, port uint16,
 	}

 	if n > 3 { //nolint:mnd
-		switch fields[3] {
-		case "tcp", "udp":
-			protocol = fields[3]
-		default:
-			return netip.Addr{}, 0, "", fmt.Errorf("%w: %s", errProtocolNotSupported, fields[3])
+		protocol, err = parseProto(fields[3])
+		if err != nil {
+			return netip.Addr{}, 0, "", fmt.Errorf("parsing protocol from remote line: %w", err)
 		}
 	}

@@ -105,7 +105,7 @@ func Test_extractDataFromLine(t *testing.T) {
 		},
 		"tcp-client": {
 			line:     "proto tcp-client",
-			protocol: "tcp-client",
+			protocol: constants.TCP,
 		},
 		"extract remote error": {
 			line:  "remote bad",
@@ -239,7 +239,7 @@ func Test_extractRemote(t *testing.T) {
 		},
 		"invalid protocol": {
 			line: "remote 1.2.3.4 8000 bad",
-			err:  errors.New("network protocol not supported: bad"),
+			err:  errors.New("parsing protocol from remote line: network protocol not supported: bad"),
 		},
 		"IP host and port and protocol": {
 			line:     "remote 1.2.3.4 8000 udp",