fix: avoid messing with Tailscale firewall rules (#90)

deansheather · web-flow · commit 5a2ef8e533be · 2025-07-28T14:02:06.000+10:00
diff --git a/wgengine/router/router_windows.go b/wgengine/router/router_windows.go
@@ -26,6 +26,13 @@ import (
 	"tailscale.com/types/logger"
 )
 
+const firewallRulePrefix = "CoderConnect-"
+
+var (
+	firewallRuleIn      = firewallRulePrefix + "In"
+	firewallRuleProcess = firewallRulePrefix + "Process"
+)
+
 type winRouter struct {
 	logf                func(fmt string, args ...any)
 	netMon              *netmon.Monitor // may be nil
@@ -237,28 +244,28 @@ func (ft *firewallTweaker) doAsyncSet() {
 // Must only be invoked from doAsyncSet.
 func (ft *firewallTweaker) doSet(local []string, killswitch bool, clear bool, procRule bool, allowedRoutes []netip.Prefix) error {
 	if clear {
-		ft.logf("clearing Tailscale-In firewall rules...")
+		ft.logf("clearing %s firewall rules...", firewallRuleIn)
 		// We ignore the error here, because netsh returns an error for
 		// deleting something that doesn't match.
 		// TODO(bradfitz): care? That'd involve querying it before/after to see
 		// whether it was necessary/worked. But the output format is localized,
 		// so can't rely on parsing English. Maybe need to use OLE, not netsh.exe?
-		d, _ := ft.runFirewall("delete", "rule", "name=Tailscale-In", "dir=in")
-		ft.logf("cleared Tailscale-In firewall rules in %v", d)
+		d, _ := ft.runFirewall("delete", "rule", "name="+firewallRuleIn, "dir=in")
+		ft.logf("cleared %s firewall rules in %v", firewallRuleIn, d)
 	}
 	if procRule {
-		ft.logf("deleting any prior Tailscale-Process rule...")
-		d, err := ft.runFirewall("delete", "rule", "name=Tailscale-Process", "dir=in") // best effort
+		ft.logf("deleting any prior %s rule...", firewallRuleProcess)
+		d, err := ft.runFirewall("delete", "rule", "name="+firewallRuleProcess, "dir=in") // best effort
 		if err == nil {
-			ft.logf("removed old Tailscale-Process rule in %v", d)
+			ft.logf("removed old %s rule in %v", firewallRuleProcess, d)
 		}
 		var exe string
 		exe, err = os.Executable()
 		if err != nil {
-			ft.logf("failed to find Executable for Tailscale-Process rule: %v", err)
+			ft.logf("failed to find Executable for %s rule: %v", firewallRuleProcess, err)
 		} else {
-			ft.logf("adding Tailscale-Process rule to allow UDP for %q ...", exe)
-			d, err = ft.runFirewall("add", "rule", "name=Tailscale-Process",
+			ft.logf("adding %s rule to allow UDP for %q ...", firewallRuleProcess, exe)
+			d, err = ft.runFirewall("add", "rule", "name="+firewallRuleProcess,
 				"dir=in",
 				"action=allow",
 				"edge=yes",
@@ -268,24 +275,24 @@ func (ft *firewallTweaker) doSet(local []string, killswitch bool, clear bool, pr
 				"enable=yes",
 			)
 			if err != nil {
-				ft.logf("error adding Tailscale-Process rule: %v", err)
+				ft.logf("error adding %s rule: %v", firewallRuleProcess, err)
 			} else {
 				ft.mu.Lock()
 				ft.didProcRule = true
 				ft.mu.Unlock()
-				ft.logf("added Tailscale-Process rule in %v", d)
+				ft.logf("added %s rule in %v", firewallRuleProcess, d)
 			}
 		}
 	}
 	for _, cidr := range local {
-		ft.logf("adding Tailscale-In rule to allow %v ...", cidr)
+		ft.logf("adding %s rule to allow %v ...", firewallRuleIn, cidr)
 		var d time.Duration
-		d, err := ft.runFirewall("add", "rule", "name=Tailscale-In", "dir=in", "action=allow", "localip="+cidr, "profile=private", "enable=yes")
+		d, err := ft.runFirewall("add", "rule", "name="+firewallRuleIn, "dir=in", "action=allow", "localip="+cidr, "profile=private", "enable=yes")
 		if err != nil {
-			ft.logf("error adding Tailscale-In rule to allow %v: %v", cidr, err)
+			ft.logf("error adding %s rule to allow %v: %v", firewallRuleIn, cidr, err)
 			return err
 		}
-		ft.logf("added Tailscale-In rule to allow %v in %v", cidr, d)
+		ft.logf("added %s rule to allow %v in %v", firewallRuleIn, cidr, d)
 	}
 
 	if !killswitch {
