Stanislas e273a77dcd fix: use source-based firewall rules with interface wildcard matching (#1426) ...

## Summary

- Fixes firewall rules that hardcode `tun0` interface, which fails when
OpenVPN uses `tun1`, `tun2`, etc. because another service already
occupies `tun0`
- Uses a defense-in-depth approach combining interface wildcard matching
with source-based rules to prevent IP spoofing

Fixes #1298

## Changes

| Backend | Before | After |
|---------|--------|-------|
| **iptables** | `-i tun0` | `-i tun+ -s $VPN_SUBNET` |
| **nftables** | `iifname "tun0"` | `iifname "tun*" ip saddr
$VPN_SUBNET` |
| **firewalld** | rich rules (source-based) | no change needed |

## Implementation Details

- **iptables/nftables**: Combined interface wildcard (`tun+`/`tun*`)
with source matching provides defense in depth - traffic must come from
both a tun interface AND the VPN subnet
- **firewalld**: Already used source-based rich rules, so no changes
required (rich rules work reliably across both iptables and nftables
backends)

2025-12-16 09:58:30 +01:00

..

client-entrypoint.sh

feat: flexible IPv4/IPv6 support with independent endpoint and client addressing (#1419)

2025-12-15 22:19:02 +01:00

Dockerfile.client

Refactor Unbound setup and add E2E tests (#1340)

2025-12-11 13:14:56 +01:00

Dockerfile.server

feat: add CLI interface with subcommands (#1398)

2025-12-14 22:08:44 +01:00

server-entrypoint.sh

fix: use source-based firewall rules with interface wildcard matching (#1426)

2025-12-16 09:58:30 +01:00

validate-output.sh

Add structured logging system with color-coded output and file logging (#1321)

2025-12-09 15:52:37 +01:00