OpenVPN import fix

client/configurators/openvpn_configurator.cpp

@@ -120,6 +120,13 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
         
         if (!m_settings->isSitesSplitTunnelingEnabled()) {
             config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
+
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+            // Prevent ipv6 leak
+            if (NetworkUtilities::checkIpv6Enabled()) {
+                config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
+            }
+#endif
             config.append("block-ipv6\n");
         } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
 
@@ -128,6 +135,7 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
             config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
             // Prevent ipv6 leak
+            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
 #endif
             config.append("block-ipv6\n");
         }
@@ -164,6 +172,7 @@ QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString
     config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
 
     // Prevent ipv6 leak
+    config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
     config.append("block-ipv6\n");
 
     // remove block-outside-dns for all exported configs

client/ui/controllers/importController.cpp

@@ -656,39 +656,47 @@ void ImportController::checkForMaliciousStrings(const QJsonObject &serverConfig)
     const QJsonArray &containers = serverConfig[config_key::containers].toArray();
     for (const QJsonValue &container : containers) {
         auto containerConfig = container.toObject();
-        auto containerName = containerConfig[config_key::container].toString();
+        QString containerName = containerConfig[config_key::container].toString();
-        if ((containerName == ContainerProps::containerToString(DockerContainer::OpenVpn))
-            || (containerName == ContainerProps::containerToString(DockerContainer::Cloak))
-            || (containerName == ContainerProps::containerToString(DockerContainer::ShadowSocks))) {
 
-            QString protocolConfig =
+        if (containerName == ContainerProps::containerToString(DockerContainer::OpenVpn)
-                    containerConfig[ProtocolProps::protoToString(Proto::OpenVpn)].toObject()[config_key::last_config].toString();
+            || containerName == ContainerProps::containerToString(DockerContainer::Cloak)
-            QString protocolConfigJson = QJsonDocument::fromJson(protocolConfig.toUtf8()).object()[config_key::config].toString();
+            || containerName == ContainerProps::containerToString(DockerContainer::ShadowSocks))
+        {
+            QString protoCfgB64 = containerConfig[ProtocolProps::protoToString(Proto::OpenVpn)]
+                                          .toObject()[config_key::last_config].toString();
+            QString cfgJson = QJsonDocument::fromJson(protoCfgB64.toUtf8())
+                                      .object()[config_key::config].toString();
 
-            const QRegularExpression regExp { "(\\w+-\\w+|\\w+)" };
+            QStringList lines = cfgJson.replace("\r", "").split('\n');
-            const size_t dangerousTagsMaxCount = 3;
+
+            const size_t dangerousTagsMaxCount = 1;
 
             // https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst
-            QStringList dangerousTags {
+            const QStringList dangerousTags {
-                "up", "tls-verify", "ipchange", "client-connect", "route-up", "route-pre-down", "client-disconnect", "down", "learn-address", "auth-user-pass-verify"
+                "up", "tls-verify", "ipchange", "client-connect",
+                "route-up", "route-pre-down", "client-disconnect",
+                "down", "learn-address", "auth-user-pass-verify"
             };
+            const QStringList allowedTags { "up", "down" };
 
-            QStringList maliciousStrings;
+            QStringList found;
-            QStringList lines = protocolConfigJson.replace("\r", "").split("\n");
+            for (QString line : lines) {
-            for (const QString &l : lines) {
+                line = line.trimmed();
-                QRegularExpressionMatch match = regExp.match(l);
+                if (line.isEmpty() || line.startsWith('#') || line.startsWith(';'))
-                if (dangerousTags.contains(match.captured(0))) {
+                    continue;
-                    maliciousStrings << l;
+                QString tag = line.section(QRegularExpression("\\s+"), 0, 0);
+                if (dangerousTags.contains(tag) && !allowedTags.contains(tag)) {
+                    found << line;
                 }
             }
 
             m_maliciousWarningText = tr("This configuration contains an OpenVPN setup. OpenVPN configurations can include malicious "
                                         "scripts, so only add it if you fully trust the provider of this config. ");
 
-            if (maliciousStrings.size() >= dangerousTagsMaxCount) {
+            if (found.size() >= dangerousTagsMaxCount) {
-                m_maliciousWarningText.push_back(tr("<br>In the imported configuration, potentially dangerous lines were found:"));
+                m_maliciousWarningText += tr("<br>Potentially dangerous directives found:");
-                for (const auto &string : maliciousStrings) {
+                for (auto &l : found) {
-                    m_maliciousWarningText.push_back(QString("<br><i>%1</i>").arg(string));
+                    m_maliciousWarningText += QString("<br><i>%1</i>").arg(l);
                 }
             }
         }