Hi everyone,
I'm relatively new to Windows driver development, so please feel free to correct me if I’m misunderstanding something.
I'm currently working on building a split-tunneling mechanism using WFP, where I aim to redirect traffic based on both the AppId and specific remote IP ranges.
My implementation is inspired by well know VPN software, like ProtonVPN or PIA.
The redirection is done with:
INETADDR_SET_ADDRESS((PSOCKADDR)&sockAddrStorage, &(addr.S_un.S_un_b.s_b1));
What works so far:
I’m able to successfully redirect all UDP and TCP traffic from Microsoft Edge to go through my local proxy interface. That part is functioning as expected.
The issue:
I would like to refine the redirection to only apply when both:
- the AppId matches (e.g., Edge or another process), and
- the remote IP is in a specific list or prefix range.
However, as far as I can tell, ALE_BIND_REDIRECT does not provide access to the remote IP during classification. This makes sense per Microsoft’s documentation and the WFPSampler sample, which states:
For non-TCP, this setting will not be enforced being that local redirection of this tuple is only available during bind time. and ideally redirection should be performed using ALE_BIND_REDIRECT instead.
The ALE_BIND_REDIRECT is the only place I can change the local address and port (it is, by default, 0.0.0.0:0). Even if after UDP packets goes through ALE_CONNECT_REDIRECT, it does not work.
So while UDP redirection works correctly at the bind layer, I am unable to make a redirection decision based on the destination address, meaning all traffic from that AppId gets redirected unconditionally.
So, is there any way to conditionally redirect UDP and TCP traffic in WFP based on both AppId and remote IP, while still respecting the early binding behavior required for UDP?
Any insight would be greatly appreciated. Thanks in advance!
Best regards,
Chris