nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: move default destination fallback after profile resolution and add nftables input chain filtering for VPN clients

Browse Source 
Move default 172.16.10.0/24 destination assignment to after profile resolution and only apply when both selectedDestinations and services are empty. Extract selectedServices calculation before conditional check in applyCurrentPolicy.

Add nftables input chain to gateway with per-peer filtering. Accept established connections and non-WireGuard traffic. Allow DNS queries to configured
This commit is contained in:
Sascha Nesterovic
2026-03-19 22:26:03 +01:00
parent bee9e63ace
commit 5d5f736e1b
2 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/internal/device/service.go
View File

@@ -61,13 +61,13 @@ func (s *Service) Enroll(ctx context.Context, userID uuid.UUID, input EnrollRequ
if err != nil { if err != nil {
return EnrollmentResponse{}, err return EnrollmentResponse{}, err
} }
if len(destinations) == 0 {
destinations = []string{"172.16.10.0/24"}
}
availableProfiles, selectedProfileID, selectedDestinations, err := s.resolveAccessProfiles(ctx, userID, enrollment.Device.ID) availableProfiles, selectedProfileID, selectedDestinations, err := s.resolveAccessProfiles(ctx, userID, enrollment.Device.ID)
if err != nil { if err != nil {
return EnrollmentResponse{}, err return EnrollmentResponse{}, err
} }
if len(selectedDestinations) == 0 && len(servicesForSelectedProfile(availableProfiles, selectedProfileID)) == 0 {
selectedDestinations = []string{"172.16.10.0/24"}
}
if len(selectedDestinations) == 0 { if len(selectedDestinations) == 0 {
selectedDestinations = destinations selectedDestinations = destinations
} }
@@ -215,11 +215,11 @@ func (s *Service) applyCurrentPolicy(ctx context.Context, enrollment EnrollmentR
if err != nil { if err != nil {
return EnrollmentResponse{}, err return EnrollmentResponse{}, err
} }
if len(selectedDestinations) == 0 { selectedServices := servicesForSelectedProfile(availableProfiles, selectedProfileID)
if len(selectedDestinations) == 0 && len(selectedServices) == 0 {
selectedDestinations = []string{"172.16.10.0/24"} selectedDestinations = []string{"172.16.10.0/24"}
} }
selectedServices := servicesForSelectedProfile(availableProfiles, selectedProfileID)
enrollment.Resources = resourcesFromProfile(selectedDestinations, selectedServices) enrollment.Resources = resourcesFromProfile(selectedDestinations, selectedServices)
enrollment.AvailableProfiles = availableProfiles enrollment.AvailableProfiles = availableProfiles
enrollment.SelectedProfileID = selectedProfileID enrollment.SelectedProfileID = selectedProfileID

22
deploy/scripts/gateway-entrypoint.sh
View File

@@ -107,6 +107,28 @@ EOF
{ {
echo "table inet nexavpn {" echo "table inet nexavpn {"
echo " chain input {"
echo " type filter hook input priority 0;"
echo " policy accept;"
echo " ct state established,related accept"
echo " iifname != \"${IFACE}\" accept"
jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do
ASSIGNED_IP=$(printf '%s' "${peer}" | jq -r '.assigned_ip')
printf '%s' "${peer}" | jq -r '.dns_servers[]?' | while read -r dns_server; do
echo " iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${dns_server} udp dport 53 accept"
echo " iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${dns_server} tcp dport 53 accept"
done
printf '%s' "${peer}" | jq -c '.allowed_services[]?' | while read -r service; do
SERVICE_PROXY_IP="$(printf '%s' "${service}" | jq -r '.access_proxy_ip')"
printf '%s' "${service}" | jq -r '.ports[]?' | while read -r service_port; do
echo " iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${SERVICE_PROXY_IP} tcp dport ${service_port} accept"
done
done
done
echo " iifname \"${IFACE}\" drop"
echo " }"
echo " chain forward {" echo " chain forward {"
echo " type filter hook forward priority 0;" echo " type filter hook forward priority 0;"
echo " policy accept;" echo " policy accept;"