From: Nico Schottelius <nico.schottelius@ungleich.ch>
To: "Ivan Labáth" <labawi-wg@matrix-dream.net>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Netfilter redirect does not work with wireguard
Date: Fri, 08 Nov 2019 16:29:31 +0100 [thread overview]
Message-ID: <87mud61j50.fsf@ungleich.ch> (raw)
In-Reply-To: <20191107215054.GA23531@matrix-dream.net>
Hello,
there are actually no replies at all, which is why I *assumed* that the
packets do not actually arrive at the wireguard code.
How does wireguard integrate into the kernel / netfilter flow? Or in
other words, how is the expected behaviour of something like what I am
trying to do?
Best,
Nico
p.s.: I was also thinking about needing SNAT, but I don't see any
replies generated at the moment.
Ivan Labáth <labawi-wg@matrix-dream.net> writes:
> Hello,
>
> have you checked the source port of replies, or whether
> there are any replies?
>
> # tcpdump -nn
>
> Tcpdump should show pre-NAT addresses on incoming packets
> and AFAIK post-NAT on outgoing packets, i.e. what goes on
> the wire.
>
> You might need to apply SNAT on outgoing packets, which
> might happen automatically with TCP connection tracking,
> but I wouldn't really expect it on connection-less UDP.
>
> Regards,
> Ivan
>
> On Thu, Nov 07, 2019 at 05:38:42PM +0100, Nico Schottelius wrote:
>>
>> Hello,
>>
>> I am experimenting with nft / netfilter redirects to support wireguard
>> packets on *any* udp port. I tried using the following configuration for
>> nftables:
>>
>> [17:34:14] vpn-2a0ae5c1:~# cat /etc/nftables.conf
>> #!/usr/sbin/nft -f
>>
>> flush ruleset
>>
>> table ip nat {
>> chain prerouting {
>> type nat hook prerouting priority 0;
>>
>> # SSH works
>> tcp dport != 22 redirect to 22
>>
>> # wireguard doesn't
>> udp dport != 51820 redirect to 51820
>> }
>>
>> chain postrouting {
>> type nat hook postrouting priority 0;
>> }
>> }
>>
>> However as you can see in the comments, this does not work with
>> wireguard, however it does work with SSH.
>>
>> I can see that wireguard is kernel space, and ssh user space, but does
>> that cause the netfilter part to be skipped or am I doing some silly
>> mistake here?
>>
>> Best regards,
>>
>> Nico
>>
>>
>> --
>> Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
prev parent reply other threads:[~2019-11-08 15:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-07 16:38 Netfilter redirect does not work with wireguard Nico Schottelius
2019-11-07 21:50 ` Ivan Labáth
2019-11-08 15:29 ` Nico Schottelius [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mud61j50.fsf@ungleich.ch \
--to=nico.schottelius@ungleich.ch \
--cc=labawi-wg@matrix-dream.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.