Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 526 through 540 (of 1,486 total)
  • Author
    Posts
  • in reply to: VPN Demo #11265
    Vadim Smirnov
    Keymaster

      Windows Packet Filter demo package contains a sample named GRETunnel, which demonstrates how to attach/remove new headers to/from the network packets. Add GRE payload encryption and you get a simple VPN tunnel.

      This another sample which with a different approach. It redirects selected TCP connections to the local proxy and then forwards theese through the SOCKS5 proxy. Just add an SSH client with SOCKS support (PuTTY, an example) and the result is VPN over SSH tunnel.

      So, basically with winpkfilter you have everything needed to implement any type of VPN. The details depend on your concrete needs. An example, for Wireguard implementation you should insert/remove UDP headers (plus some protocol specific data) instead of GRE, but the idea is the same.

      in reply to: Concurrency handling of ReadPackets and SendPackets #11262
      Vadim Smirnov
      Keymaster

        Yes, SendPacket/s return immediately.

        in reply to: Concurrency handling of ReadPackets and SendPackets #11260
        Vadim Smirnov
        Keymaster

          Yes, entire library is thread safe.

          The only thing to note about it is that there is only one instance of each network interface (setting mode, event and etc..) and only one copy of each packet (if one thread taken packet others threads won’t be able to get it). Though for one customer we created a special build with multiply filtering layers (e.g. packet injected on one layer can be picked up again on the next layer).

          in reply to: Problem using filters with C# #11255
          Vadim Smirnov
          Keymaster

            From the experiments I did, the only way I found to redirect some packets and let everything else pass is to use MSTCP_FLAG_TUNNEL for the adapter mode and then specify 2 filters: the first with the action FILTER_PACKET_REDIRECT that intercepts the packets I’m interested in, and then a second filter with action FILTER_PACKET_PASS to let everything else pass through. Am I correct?

            Yes, you are right! There is also an alternative approach, when adapter is in tunnel mode then REDIRECT is a default action, so you can load one or more filters to pass selected traffic over and everything else will be redirected to your application automatically.

            Or is there a way for example to set the adapter mode in something like “let everything pass” and then use a single filter with the action FILTER_PACKET_REDIRECT?

            No, it won’t work. Adapter mode defines if network interface is filtered or not (independently in each direction). If it is not then loaded filters are not applied and all the traffic is passed over.

            in reply to: Problem using filters with C# #11253
            Vadim Smirnov
            Keymaster

              Below sf assigned a copy of the ft.StaticFilters[0]

              var sf = ft.StaticFilters[0];

              and then the copy is initialized. So, you should assign it back after initialization or define sf as a reference to ft.StaticFilters[0]

              ref var sf = ref ft.StaticFilters[0];

              Vadim Smirnov
              Keymaster

                That depends of which installer you have downloaded. Two of them (MSI ones) install driver only (x64 or x86 depending on the platform), the third one contains more demo binaries and includes ndisapi.dll.

                The source code for ndisapi can be found here. You can use as a static or dynamic library (or even .net class library) depending on your requirements.

                Vadim Smirnov
                Keymaster

                  Support of NDIS 3.0 was removed from Windows 10 starting 1809, so the NDIS 3.0 of VirtNet can’t be used anymore. You can check this thread for the details and temporary NDIS 6.0 VirtNet driver replacement:

                  VirtNet does not install on Windows 10 version 1809 x64

                  However, this problem is not related to Windows Packet Filter, so if you have experienced any problems about it then could please provide the details.

                  in reply to: Why is WinPkFlt a LWF and not an NDIS Intermediate Driver ? #11234
                  Vadim Smirnov
                  Keymaster

                    No, in fact NDIS 6.x LWF is a direct replacement for NDIS 5.1 IM drivers.

                    in reply to: Why is WinPkFlt a LWF and not an NDIS Intermediate Driver ? #11232
                    Vadim Smirnov
                    Keymaster

                      In two words, NDIS IM is a NDIS 5.1 driver (though, it can be used in Vista, but in fact this is a compatibility mode) while LWF is NDIS 6.x and has a native support.

                      in reply to: msi installer 3.2.18.1 x64 on WIN 8.1 #11046
                      Vadim Smirnov
                      Keymaster

                        Yes, sure!

                        Vadim Smirnov
                        Keymaster

                          P.S. I was a little bit confused about your claim regarding code signing certificates costs, but yes, if you tried to order directly from the main page then it is a kind of expensive. However, if you try this link then you might be pleasantly surprised. 🙂

                          Vadim Smirnov
                          Keymaster

                            Well, yes, this is an option. However, it won’t protect if any other applications using standard winpkfilter build are running.

                            By the way we can sign your custom build with our code-signing certificate. Some of the customers prefer this option not only because of certificate costs but mostly because a relatively complex driver signing process.

                            Vadim Smirnov
                            Keymaster

                              Hmm, interesting question and I’m afraid I don’t have a quick answer. Inspecting all active processes for the open driver handle does not look a good idea. However, I think such functionality could be added to the driver itself, an example store the driver opened handles counter in the registry.

                              Still, I’m not sure that this type of functionality is really needed though, normally you should tie your NAT application with custom driver build. In this situation your NAT application always knows if it uses the driver or not while no other application are aware about the custom driver build therefore can’t use the driver.

                              in reply to: InternetGateway on Win10: DNS reply has invalid UDP cksum #11037
                              Vadim Smirnov
                              Keymaster

                                Yes, you are right, it is bug. You should add UDP checksum recalculation in two places:

                                //DNS hook
                                //If we receive DNS packet on the NAT client adapter then we redirect it 
                                //to this system configured DNS server
                                if((pDlg->m_DNSIp.S_un.S_addr != INADDR_ANY) && (pDlg->m_DNSIp.S_un.S_addr != INADDR_NONE))
                                {
                                    if ((hAdapters[dwIndex]->m_NATState == CLIENT)&&
                                    (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE))
                                    {
                                        if (ntohs(pUdpHeader->th_dport) == 53/*DNS port*/)
                                        {
                                            // Save the DNS IP used by the NAT client system
                                            hAdapters[dwIndex]->m_LocalDNS.S_un.S_addr = ntohl(pIpHeader->ip_dst.S_un.S_addr);
                                            
                                            pIpHeader->ip_dst.S_un.S_addr = pDlg->m_DNSIp.S_un.S_addr;
                                        
                                            if(bForceRouting) 
                                            {
                                                bNeedToBeRouted = pDlg->IsNeedToForceRouting(pEthHeader->h_dest, pIpHeader->ip_dst.S_un.S_addr, pProviderCard->m_Index);
                                            }
                                
                                            RecalculateUDPChecksum(&PacketBuffer);
                                            RecalculateIPChecksum (&PacketBuffer);
                                        }
                                    }
                                
                                    // DNS reply came, substitute source IP back to the original DNS address
                                    if ((hAdapters[dwIndex]->m_NATState == CLIENT)&&
                                        (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))
                                    {
                                        if (ntohs(pUdpHeader->th_sport) == 53/*DNS port*/)
                                        {
                                            pIpHeader->ip_src.S_un.S_addr = htonl(hAdapters[dwIndex]->m_LocalDNS.S_un.S_addr);
                                            RecalculateUDPChecksum(&PacketBuffer);
                                            RecalculateIPChecksum (&PacketBuffer);
                                        }
                                    }
                                }

                                Internet Gateway is a very old sample and I have a newer NAT library implementation (not available for public though) where surprisingly this bug was already fixed.

                                in reply to: Which process sent the UDP packet? #11033
                                Vadim Smirnov
                                Keymaster

                                  Although sendto() can be called on unbound socket according MSDN “If the socket is unbound, unique values are assigned to the local association by the system, and the socket is then marked as bound”. So, I suspect that this is equivalent to calling bind explicitly. However, worth to test to ensure.

                                Viewing 15 posts - 526 through 540 (of 1,486 total)