Initial attempt at server switching support

Author: oskirby

macos/networkextension/VPNSplitTunnelProvider.mm

@@ -5,6 +5,7 @@
 #import <NetworkExtension/NetworkExtension.h>
 
 #import "interfaceconfig.h"
+#import "utils.h"
 #import "wireguardtunnel.h"
 
 #include <atomic>
@@ -55,13 +56,6 @@ - (id)init{
   return self;
 }
 
-+ (NSError*) makeError:(NSInteger)code
-       withDescription:(NSString*)desc {
-  return [NSError errorWithDomain:[[NSBundle mainBundle] bundleIdentifier]
-                             code:code
-                         userInfo:@{NSLocalizedDescriptionKey: desc}];
-}
-
 + (nw_endpoint_t)convertEndpoint:(NWEndpoint*)old {
   if (old == nil) {
     return nil;
@@ -149,13 +143,11 @@ - (void)startProxyWithOptions:(NSDictionary<NSString *,id> *)options
   m_handledUnknown = 0;
 
   // Parse the configuration
-  InterfaceConfig* config = [[InterfaceConfig alloc] initFromDict:options];
-  if (!config) {
-    completionHandler([VPNSplitTunnelProvider makeError:1
-                                        withDescription:@"invalid configuration"]);
+  _config = [[InterfaceConfig alloc] initFromDict:options];
+  if (!self.config) {
+    completionHandler(vpnProviderError(NEProviderStopReasonConfigurationFailed));
     return;
   }
-  _config = config;
 
   self.wireguard = [WireguardTunnel new];
   self.settings = [[NETransparentProxyNetworkSettings alloc] initWithTunnelRemoteAddress:self.protocolConfiguration.serverAddress];
@@ -245,6 +237,12 @@ - (void)startProxyWithOptions:(NSDictionary<NSString *,id> *)options
           return;
         }
 
+        // Register a KVO observer to switch servers upon configuration change.
+        [weakSelf addObserver:weakSelf
+                   forKeyPath:@"protocolConfiguration"
+                      options:NSKeyValueObservingOptionOld | NSKeyValueObservingOptionNew
+                      context:nil];
+
         // Success
         completionHandler(nil);
       }];
@@ -260,10 +258,91 @@ - (void)stopProxyWithReason:(NEProviderStopReason)reason
   NSLog(@"handled udp flows: %lld", std::atomic_load(&m_handledUdpFlows));
   NSLog(@"handled unknown flows: %lld", std::atomic_load(&m_handledUnknown));
 
+  [self removeObserver:self
+            forKeyPath:@"protocolConfiguration"];
+
   [self.wireguard stopTunnelWithReason:reason
                      completionHandler:completionHandler];
 }
 
+- (void)observeValueForKeyPath:(NSString *)keyPath
+                      ofObject:(id)object
+                        change:(NSDictionary *)change
+                       context:(void *)context {
+  // The only thing we should be observing is the protocolConfiguration
+  if (![keyPath isEqual:@"protocolConfiguration"]) {
+    return;
+  }
+  NSLog(@"configuration changed");
+
+  // Parse and update the configuration
+  NETunnelProviderProtocol* proto = (NETunnelProviderProtocol*)self.protocolConfiguration;
+  _config = [[InterfaceConfig alloc] initFromDict:proto.providerConfiguration];
+  if (!self.config) {
+    // We can't make sense of this configuration.
+    [self.wireguard stopTunnelWithReason:NEProviderStopReasonConfigurationFailed
+                       completionHandler:^(){
+      [self cancelProxyWithError:vpnProviderError(NEProviderStopReasonConfigurationFailed)];
+    }];
+    return;
+  }
+
+  // Update the app exclusion settings.
+  [self.vpnDisabledApps removeAllObjects];
+  NSArray* apps = [proto.providerConfiguration objectForKey:@"apps"];
+  if (apps) {
+    NSEnumerator* iter = [apps objectEnumerator];
+    while (id appId = [iter nextObject]) {
+      if (![appId isKindOfClass:[NSString class]]) {
+        continue;
+      }
+#ifdef MZ_DEBUG
+      NSLog(@"excluding app %@ from VPN", appId);
+#endif
+      [self.vpnDisabledApps addObject: appId];
+    }
+  }
+  // TODO: We probably need to update/reset connections if they changed their exclusion status.
+  // but how?
+
+  // YOLO: Does this do anything....
+  [self performSelector:@selector(fetchFlowStatesWithCompletionHandler:)
+             withObject:^(NSArray* result){
+    NSLog(@"flow count: %lu", result.count);
+    for (NSObject* obj in result) {
+      NSLog(@"flow state: %@", NSStringFromClass(obj.class));
+    }
+  }];
+
+  // Check if the server identitiy changed. Do nothing if no changes.
+  NETunnelProviderProtocol* old = [change objectForKey:@"old"];
+  if (old && [old isKindOfClass:NETunnelProviderProtocol.class]) {
+    NSString* oldPubKey = [old.providerConfiguration objectForKey:@"serverPublicKey"];
+    if (oldPubKey && [oldPubKey isKindOfClass:NSString.class]) {
+      if ([oldPubKey isEqual:self.config.serverPublicKey]) {
+        return;
+      }
+    }
+  }
+
+  // Shutdown the old wireguard peer and start a new one.
+  self.reasserting = TRUE;
+  [self.wireguard.peer stopWithReason:NEProviderStopReasonSuperceded
+                    completionHandler:^(){
+    // Create and start a new peer.
+    self.wireguard.peer = [[WireguardPeer alloc] initWithOptions:self.config
+                                                       andTunnel:self.wireguard];
+    [self.wireguard.peer startWithOptions:self.config
+                        completionHandler:^(NSError*err){
+      if (err) {
+        [self cancelProxyWithError:err];
+      } else {
+        self.reasserting = FALSE;
+      }
+    }];
+  }];
+}
+
 - (BOOL)matchAppFlow:(NEAppProxyFlow*)flow {
   // Without metadata - always direct the flow into the VPN.
   if (flow.metaData == nil) {
@@ -337,14 +416,14 @@ - (void)handleAppMessage:(NSData *)messageData
                                                 error:&error];
   if (error != nil) {
       NSLog(@"app message error: %@", error.localizedDescription);
-      [VPNSplitTunnelProvider sendAppError:error completionHandler:completionHandler];
+      [VPNSplitTunnelProvider sendAppResponse:error completionHandler:completionHandler];
       return;
   }
   NSString* action = [msg decodeObjectOfClass:NSString.class forKey:@"action"];
   if (!action) {
       NSLog(@"app message invalid action");
-      NSError* error = [VPNSplitTunnelProvider makeError:1 withDescription:@"invalid app message invalid"];
-      [VPNSplitTunnelProvider sendAppError:error completionHandler:completionHandler];
+      NSError* error = vpnProviderError(NEProviderStopReasonConfigurationFailed);
+      [VPNSplitTunnelProvider sendAppResponse:error completionHandler:completionHandler];
       return;
   }
 
@@ -366,8 +445,8 @@ - (void)handleAppMessage:(NSData *)messageData
 
   // Wireguard Tunnel messages
   if ([action isEqualToString:@"status"]) {
-    [VPNSplitTunnelProvider sendAppObject:self.wireguard.status
-                        completionHandler:completionHandler];
+    [VPNSplitTunnelProvider sendAppResponse:self.wireguard.status
+                          completionHandler:completionHandler];
     return;
   }
 
@@ -385,33 +464,20 @@ - (void)handleAppMessage:(NSData *)messageData
   [VPNSplitTunnelProvider sendAppResponse:nil completionHandler:completionHandler];
 }
 
-+ (void)sendAppResponse:(NSData*) responseData
++ (void)sendAppResponse:(id) obj
       completionHandler:(void (^)(NSData*)) completionHandler {
   if (!completionHandler) {
     return;
   }
-  completionHandler(responseData);
-}
 
-+ (void)sendAppObject:(id) obj
-    completionHandler:(void (^)(NSData*)) completionHandler {
   NSKeyedArchiver* encoder = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES];
-  if ([obj respondsToSelector:@selector(encodeWithCoder:)]) {
+  if ([obj isKindOfClass:[NSError class]]) {
+    [encoder encodeObject:obj forKey:@"error"];
+  } else if ([obj respondsToSelector:@selector(encodeWithCoder:)]) {
     [obj encodeWithCoder: encoder];
   }
   [encoder finishEncoding];
   completionHandler(encoder.encodedData);
 }
 
-+ (void)sendAppError:(NSError*) error
-   completionHandler:(void (^)(NSData*)) completionHandler {
-  if (!completionHandler) {
-    return;
-  }
-  NSKeyedArchiver* encoder = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES];
-  [encoder encodeObject:error forKey:@"error"];
-  [encoder finishEncoding];
-  completionHandler(encoder.encodedData);
-}
-
 @end

macos/networkextension/utils.h

@@ -8,15 +8,9 @@
 
 #ifndef UTILS_H
 
-typedef enum {
-    kVPNSuccess = 0,
-    kVPNErrInvalidConfig = 1,
-    kVPNErrTunnelNotRunning = 2,
-} VPNErrorType;
-
 nw_endpoint_t convertEndpoint(NWEndpoint* ep);
 NSUInteger getWorkerCount();
-NSError* vpnProviderError(VPNErrorType err, NSString* msg);
+NSError* vpnProviderError(NEProviderStopReason reason);
 NSError* vpnPosixError(int code, NSString* msg);
 
 #endif  // UTILS_H

macos/networkextension/utils.mm

@@ -62,10 +62,81 @@ nw_endpoint_t convertEndpoint(NWEndpoint* old) {
   return nw_endpoint_create_host(host.hostname.UTF8String, host.port.UTF8String);
 }
 
-NSError* vpnProviderError(VPNErrorType err, NSString* description) {
+NSError* vpnProviderError(NEProviderStopReason reason) {
+  NSDictionary<NSString *,id>* info = nil;
+  switch (reason) {
+    case NEProviderStopReasonNone:
+      info = @{NSLocalizedDescriptionKey: @"No specific reason"};
+      break;
+
+    case NEProviderStopReasonUserInitiated:
+      info = @{NSLocalizedDescriptionKey: @"The user stopped the provider extension"};
+      break;
+
+    case NEProviderStopReasonProviderFailed:
+      info = @{NSLocalizedDescriptionKey: @"The provider failed to function correctly"};
+      break;
+
+    case NEProviderStopReasonNoNetworkAvailable:
+      info = @{NSLocalizedDescriptionKey: @"No network connectivity is currently available"};
+      break;
+
+    case NEProviderStopReasonUnrecoverableNetworkChange:
+      info = @{NSLocalizedDescriptionKey: @"The device's network connectivity changed"};
+      break;
+
+    case NEProviderStopReasonProviderDisabled:
+      info = @{NSLocalizedDescriptionKey: @"The provider was disabled"};
+      break;
+
+    case NEProviderStopReasonAuthenticationCanceled:
+      info = @{NSLocalizedDescriptionKey: @"The authentication process was canceled"};
+      break;
+
+    case NEProviderStopReasonConfigurationFailed:
+      info = @{NSLocalizedDescriptionKey: @"The configuration is invalid"};
+      break;
+
+    case NEProviderStopReasonIdleTimeout:
+      info = @{NSLocalizedDescriptionKey: @"The session timed out"};
+      break;
+
+    case NEProviderStopReasonConfigurationDisabled:
+      info = @{NSLocalizedDescriptionKey: @"The configuration was disabled"};
+      break;
+
+    case NEProviderStopReasonConfigurationRemoved:
+      info = @{NSLocalizedDescriptionKey: @"The configuration was removed"};
+      break;
+
+    case NEProviderStopReasonSuperceded:
+      info = @{NSLocalizedDescriptionKey: @"The configuration was superceded by a higher-priority configuration"};
+      break;
+
+    case NEProviderStopReasonUserLogout:
+      info = @{NSLocalizedDescriptionKey: @"The user logged out"};
+      break;
+
+    case NEProviderStopReasonConnectionFailed:
+      info = @{NSLocalizedDescriptionKey: @"The connection failed"};
+      break;
+
+    case NEProviderStopReasonSleep:
+      info = @{NSLocalizedDescriptionKey: @"A stop reason indicating the configuration enabled disconnect on sleep and the device went to sleep"};
+      break;
+
+    case NEProviderStopReasonInternalError:
+      info = @{NSLocalizedDescriptionKey: @"The provider encountered an internal error"};
+      break;
+
+    case NEProviderStopReasonAppUpdate:
+    default:
+      break;
+  }
+
   return [NSError errorWithDomain:[[NSBundle mainBundle] bundleIdentifier]
-                             code:(NSUInteger)err
-                         userInfo:@{NSLocalizedDescriptionKey: description}];
+                             code:(NSUInteger)reason
+                         userInfo:info];
 }
 
 NSError* vpnPosixError(int code, NSString* desc) {

macos/networkextension/wireguardpeer.mm

@@ -170,7 +170,7 @@ - (void) socketWorker:(id)arg {
 
 - (void) stopWithReason:(NEProviderStopReason)reason 
       completionHandler:(void (^)()) completionHandler {
-  [self cancelWithError:vpnPosixError(ECANCELED, @"wireguard peer stopped")];
+  [self cancelWithError:vpnProviderError(reason)];
   completionHandler();
 }
 

src/platforms/macos/macosextensioncontroller.mm

@@ -190,19 +190,32 @@ - (void)notifyStatusChanged:(NSNotification*)notify;
   }
   [options setObject:vpnDisabledApps forKey:@"apps"];
 
-  // Start the split tunnel proxy.
-  NSError* error = nil;
-  NETunnelProviderSession* session =
-      static_cast<NETunnelProviderSession*>(m_manager.connection);
-  BOOL okay = [session startTunnelWithOptions:options andReturnError:&error];
-  if (error) {
-    logger.warning() << "proxy start error:" << error.localizedDescription;
-  } else if (!okay) {
-    logger.warning() << "proxy start failed";
-  } else {
-    // Save the session and retain it.
-    m_session = [session retain];
-  }
+  // Update the tunnel configuration.
+  NETunnelProviderProtocol* proto =
+      static_cast<NETunnelProviderProtocol*>(m_manager.protocolConfiguration);
+  proto.providerConfiguration = options;
+  [m_manager saveToPreferencesWithCompletionHandler:^(NSError* error) {
+    if (error) {
+      logger.warning() << "prefs update error:" << error.localizedDescription;
+      return;
+    }
+
+    // If we don't already have a session - start one.
+    if (m_session) {
+      return;
+    }
+    NETunnelProviderSession* session =
+        static_cast<NETunnelProviderSession*>(m_manager.connection);
+    BOOL okay = [session startTunnelWithOptions:options andReturnError:&error];
+    if (error) {
+      logger.warning() << "proxy start error:" << error.localizedDescription;
+    } else if (!okay) {
+      logger.warning() << "proxy start failed";
+    } else {
+      // Save the session and retain it.
+      m_session = [session retain];
+    }
+  }];
 }
 
 void MacOSExtensionController::deactivate() {
@@ -304,8 +317,8 @@ - (void)notifyEnabledChanged:(NSNotification*)notify {
 }
 
 - (void)notifyStatusChanged:(NSNotification*)notify {
-  NEVPNStatus status = static_cast<NEVPNConnection*>(notify.object).status;
-  QMetaObject::invokeMethod(self.parent, "extStatusChange", Q_ARG(int, status));
+  NEVPNConnection* conn = static_cast<NEVPNConnection*>(notify.object);
+  QMetaObject::invokeMethod(self.parent, "extStatusChange", Q_ARG(int, conn.status));
 }
 
 @end