VPN-6632: Fix split tunnel when IPv6 unreachable (#10225) (#10231)

* Compare among IPv6 addresses when starting split tunnelling
* Remove firewall rules for SOCKS proxy - not needed anymore
* Fix endian conversion bug in WindowsCommons::AdapterIndexTo

Author: oskirby

src/platforms/windows/daemon/windowsdaemon.cpp

@@ -51,7 +51,8 @@ WindowsDaemon::~WindowsDaemon() {
 
 void WindowsDaemon::prepareActivation(const InterfaceConfig& config) {
   // Before creating the interface we need to check which adapter
-  // routes to the server endpoint
+  // routes to the server endpoint. This will be selected as the outgoing
+  // interface for split-tunnelled traffic.
   auto serveraddr = QHostAddress(config.m_serverIpv4AddrIn);
   m_inetAdapterIndex = WindowsCommons::AdapterIndexTo(serveraddr);
 }

src/platforms/windows/daemon/windowsfirewall.cpp

@@ -183,10 +183,6 @@ bool WindowsFirewall::enableInterface(int vpnAdapterIndex) {
   if (!allowTrafficForAppOnAll(getCurrentPath(), MAX_WEIGHT, msg)) {
     return false;
   }
-  msg = "Allow all for socksproxy.exe";
-  if (!allowTrafficForAppOnAll(getProxyPath(), MAX_WEIGHT, msg)) {
-    return false;
-  }
   if (!blockTrafficOnPort(53, MED_WEIGHT, "Block all DNS")) {
     return false;
   }
@@ -830,15 +826,6 @@ QString WindowsFirewall::getCurrentPath() {
   return QString::fromLocal8Bit(buffer);
 }
 
-QString WindowsFirewall::getProxyPath() {
-  QString execPath = getCurrentPath();
-  if (execPath.isEmpty()) {
-    return "";
-  }
-
-  return QFileInfo(execPath).dir().absoluteFilePath("socksproxy.exe");
-}
-
 void WindowsFirewall::importAddress(const QHostAddress& addr,
                                     OUT FWP_VALUE0_& value,
                                     OUT QByteArray* v6DataBuffer) {

src/platforms/windows/daemon/windowsfirewall.h

@@ -71,7 +71,6 @@ class WindowsFirewall final : public QObject {
 
   // Utils
   QString getCurrentPath();
-  QString getProxyPath();
   void importAddress(const QHostAddress& addr, OUT FWP_VALUE0_& value,
                      OUT QByteArray* v6DataBuffer);
   void importAddress(const QHostAddress& addr, OUT FWP_CONDITION_VALUE0_& value,

src/platforms/windows/daemon/windowssplittunnel.cpp

@@ -4,7 +4,11 @@
 
 #include "windowssplittunnel.h"
 
-#include <qassert.h>
+#include <WS2tcpip.h>
+#include <iphlpapi.h>
+#include <windows.h>
+#include <winsock2.h>
+#include <ws2ipdef.h>
 
 #include <memory>
 
@@ -17,13 +21,13 @@
 #include "windowsfirewall.h"
 
 #define PSAPI_VERSION 2
-#include <Windows.h>
 #include <psapi.h>
 
 #include <QCoreApplication>
 #include <QFileInfo>
 #include <QNetworkInterface>
 #include <QScopeGuard>
+#include <QtEndian>
 
 #pragma region
 
@@ -341,7 +345,7 @@ bool WindowsSplitTunnel::start(int inetAdapterIndex) {
 
   auto config = generateIPConfiguration(inetAdapterIndex);
   if (config.empty()) {
-    logger.error() << "Failed to set Network Config";
+    logger.error() << "Failed to generate Network Config";
     return false;
   }
   auto ok = DeviceIoControl(m_driver, IOCTL_REGISTER_IP_ADDRESSES, &config[0],
@@ -468,33 +472,76 @@ std::vector<std::byte> WindowsSplitTunnel::generateIPConfiguration(
 }
 bool WindowsSplitTunnel::getAddress(int adapterIndex, IN_ADDR* out_ipv4,
                                     IN6_ADDR* out_ipv6) {
-  QNetworkInterface target =
-      QNetworkInterface::interfaceFromIndex(adapterIndex);
-  logger.debug() << "Getting adapter info for:" << target.humanReadableName();
+  MIB_UNICASTIPADDRESS_TABLE* table;
+  DWORD result = GetUnicastIpAddressTable(AF_UNSPEC, &table);
+  if (result != NO_ERROR) {
+    logger.warning() << "GetUnicastIpAddressTable() failed:"
+                     << WindowsUtils::getErrorMessage(result);
+    return false;
+  }
+  auto guard = qScopeGuard([table]() { FreeMibTable(table); });
+
+  // Find the best unicast addresses on this interface.
+  const MIB_UNICASTIPADDRESS_ROW* bestIpv4 = nullptr;
+  const MIB_UNICASTIPADDRESS_ROW* bestIpv6 = nullptr;
+  for (ULONG i = 0; i < table->NumEntries; i++) {
+    const MIB_UNICASTIPADDRESS_ROW* row = &table->Table[i];
+    if (row->InterfaceIndex != adapterIndex) {
+      continue;
+    }
+    if (row->SkipAsSource) {
+      continue;
+    }
+
+    if (row->Address.si_family == AF_INET) {
+      // Check IPv4 addresses
+      quint32 rawAddr = row->Address.Ipv4.sin_addr.s_addr;
+      QHostAddress addr(qFromBigEndian<quint32>(rawAddr));
+      if (!addr.isGlobal()) {
+        continue;
+      }
+      // Prefer the address with the highest DAD state.
+      if ((bestIpv4 != nullptr) && (bestIpv4->DadState >= row->DadState)) {
+        continue;
+      }
+      bestIpv4 = row;
+    } else if (row->Address.si_family == AF_INET6) {
+      QHostAddress addr(row->Address.Ipv6.sin6_addr.s6_addr);
+      // Check IPv6 addresses
+      if (!addr.isGlobal()) {
+        continue;
+      }
+
+      if (!bestIpv6) {
+        bestIpv6 = row;
+        continue;
+      }
+      QHostAddress other(bestIpv6->Address.Ipv6.sin6_addr.s6_addr);
 
-  auto get = [&target](QAbstractSocket::NetworkLayerProtocol protocol) {
-    for (auto address : target.addressEntries()) {
-      if (address.ip().protocol() != protocol) {
+      // Ignore site-local addresses if a global address is already known.
+      if (addr.isUniqueLocalUnicast() && !other.isUniqueLocalUnicast()) {
         continue;
       }
-      return address.ip().toString().toStdWString();
+      // Prefer the address with the highest DAD state.
+      if ((bestIpv6 != nullptr) && (bestIpv6->DadState >= row->DadState)) {
+        continue;
+      }
+      bestIpv6 = row;
     }
-    return std::wstring{};
-  };
-  auto ipv4 = get(QAbstractSocket::IPv4Protocol);
-  auto ipv6 = get(QAbstractSocket::IPv6Protocol);
+  }
 
-  if (InetPtonW(AF_INET, ipv4.c_str(), out_ipv4) != 1) {
-    logger.debug() << "Ipv4 Conversation error" << WSAGetLastError();
+  // An IPv4 address is required for split tunnelling.
+  if (bestIpv4) {
+    out_ipv4->s_addr = bestIpv4->Address.Ipv4.sin_addr.s_addr;
+  } else {
     return false;
   }
-  if (ipv6.empty()) {
+
+  // Output the IPv6 address, if any.
+  if (bestIpv6) {
+    std::memcpy(out_ipv6, &bestIpv6->Address.Ipv6.sin6_addr, sizeof(IN6_ADDR));
+  } else {
     std::memset(out_ipv6, 0x00, sizeof(IN6_ADDR));
-    return true;
-  }
-  if (InetPtonW(AF_INET6, ipv6.c_str(), out_ipv6) != 1) {
-    logger.debug() << "Ipv6 Conversation error" << WSAGetLastError();
-    return false;
   }
   return true;
 }

src/platforms/windows/windowscommons.cpp

@@ -115,18 +115,15 @@ QString WindowsCommons::getTunnelLogFilePath() {
 int WindowsCommons::AdapterIndexTo(const QHostAddress& dst) {
   logger.debug() << "Getting Current Internet Adapter that routes to"
                  << logger.sensitive(dst.toString());
-  quint32_be ipBigEndian;
-  quint32 ip = dst.toIPv4Address();
-  qToBigEndian(ip, &ipBigEndian);
-  _MIB_IPFORWARDROW routeInfo;
-  auto result = GetBestRoute(ipBigEndian, 0, &routeInfo);
+  quint32 ipv4be = qToBigEndian<quint32>(dst.toIPv4Address());
+  DWORD index = 0;
+  DWORD result = GetBestInterface(ipv4be, &index);
   if (result != NO_ERROR) {
+    WindowsUtils::windowsLog("Interface lookup failed");
     return -1;
   }
-  auto adapter =
-      QNetworkInterface::interfaceFromIndex(routeInfo.dwForwardIfIndex);
-  logger.debug() << "Internet Adapter:" << adapter.name();
-  return routeInfo.dwForwardIfIndex;
+  logger.debug() << "Internet Adapter:" << index;
+  return index;
 }
 
 // static