Skip to content

[pull] master from angristan:master#104

Merged
pull[bot] merged 1 commit into
namibia:masterfrom
angristan:master
Dec 16, 2025
Merged

[pull] master from angristan:master#104
pull[bot] merged 1 commit into
namibia:masterfrom
angristan:master

Conversation

@pull
Copy link
Copy Markdown

@pull pull Bot commented Dec 16, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@angristan
fix: use source-based firewall rules with interface wildcard matching (
e273a77 
…#1426)

## Summary

- Fixes firewall rules that hardcode `tun0` interface, which fails when
OpenVPN uses `tun1`, `tun2`, etc. because another service already
occupies `tun0`
- Uses a defense-in-depth approach combining interface wildcard matching
with source-based rules to prevent IP spoofing

Fixes #1298

## Changes

| Backend | Before | After |
|---------|--------|-------|
| **iptables** | `-i tun0` | `-i tun+ -s $VPN_SUBNET` |
| **nftables** | `iifname "tun0"` | `iifname "tun*" ip saddr
$VPN_SUBNET` |
| **firewalld** | rich rules (source-based) | no change needed |

## Implementation Details

- **iptables/nftables**: Combined interface wildcard (`tun+`/`tun*`)
with source matching provides defense in depth - traffic must come from
both a tun interface AND the VPN subnet
- **firewalld**: Already used source-based rich rules, so no changes
required (rich rules work reliably across both iptables and nftables
backends)
@pull pull Bot locked and limited conversation to collaborators Dec 16, 2025
@pull pull Bot added the ⤵️ pull label Dec 16, 2025
@pull pull Bot merged commit e273a77 into namibia:master Dec 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@angristan