Netfilter redirect does not work with wireguard

Netfilter redirect does not work with wireguard

[Nico Schottelius]

Hello,

I am experimenting with nft / netfilter redirects to support wireguard
packets on *any* udp port. I tried using the following configuration for
nftables:

[17:34:14] vpn-2a0ae5c1:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table ip nat {
	chain prerouting {
		type nat hook prerouting priority 0;

		# SSH works
		tcp dport != 22 redirect to 22

		# wireguard doesn't
		udp dport != 51820 redirect to 51820
	}

	chain postrouting {
		type nat hook postrouting priority 0;
	}
}

However as you can see in the comments, this does not work with
wireguard, however it does work with SSH.

I can see that wireguard is kernel space, and ssh user space, but does
that cause the netfilter part to be skipped or am I doing some silly
mistake here?

Best regards,

Nico


--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Netfilter redirect does not work with wireguard

[Ivan Labáth]

Hello,

have you checked the source port of replies, or whether
there are any replies?

# tcpdump -nn

Tcpdump should show pre-NAT addresses on incoming packets
and AFAIK post-NAT on outgoing packets, i.e. what goes on
the wire.

You might need to apply SNAT on outgoing packets, which
might happen automatically with TCP connection tracking,
but I wouldn't really expect it on connection-less UDP.

Regards,
Ivan

On Thu, Nov 07, 2019 at 05:38:42PM +0100, Nico Schottelius wrote:
> 
> Hello,
> 
> I am experimenting with nft / netfilter redirects to support wireguard
> packets on *any* udp port. I tried using the following configuration for
> nftables:
> 
> [17:34:14] vpn-2a0ae5c1:~# cat /etc/nftables.conf
> #!/usr/sbin/nft -f
> 
> flush ruleset
> 
> table ip nat {
> 	chain prerouting {
> 		type nat hook prerouting priority 0;
> 
> 		# SSH works
> 		tcp dport != 22 redirect to 22
> 
> 		# wireguard doesn't
> 		udp dport != 51820 redirect to 51820
> 	}
> 
> 	chain postrouting {
> 		type nat hook postrouting priority 0;
> 	}
> }
> 
> However as you can see in the comments, this does not work with
> wireguard, however it does work with SSH.
> 
> I can see that wireguard is kernel space, and ssh user space, but does
> that cause the netfilter part to be skipped or am I doing some silly
> mistake here?
> 
> Best regards,
> 
> Nico
> 
> 
> --
> Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Netfilter redirect does not work with wireguard

[Nico Schottelius]

Hello,

there are actually no replies at all, which is why I *assumed* that the
packets do not actually arrive at the wireguard code.

How does wireguard integrate into the kernel / netfilter flow? Or in
other words, how is the expected behaviour of something like what I am
trying to do?

Best,

Nico

p.s.: I was also thinking about needing SNAT, but I don't see any
replies generated at the moment.


Ivan Labáth <labawi-wg@matrix-dream.net> writes:

> Hello,
>
> have you checked the source port of replies, or whether
> there are any replies?
>
> # tcpdump -nn
>
> Tcpdump should show pre-NAT addresses on incoming packets
> and AFAIK post-NAT on outgoing packets, i.e. what goes on
> the wire.
>
> You might need to apply SNAT on outgoing packets, which
> might happen automatically with TCP connection tracking,
> but I wouldn't really expect it on connection-less UDP.
>
> Regards,
> Ivan
>
> On Thu, Nov 07, 2019 at 05:38:42PM +0100, Nico Schottelius wrote:
>>
>> Hello,
>>
>> I am experimenting with nft / netfilter redirects to support wireguard
>> packets on *any* udp port. I tried using the following configuration for
>> nftables:
>>
>> [17:34:14] vpn-2a0ae5c1:~# cat /etc/nftables.conf
>> #!/usr/sbin/nft -f
>>
>> flush ruleset
>>
>> table ip nat {
>> 	chain prerouting {
>> 		type nat hook prerouting priority 0;
>>
>> 		# SSH works
>> 		tcp dport != 22 redirect to 22
>>
>> 		# wireguard doesn't
>> 		udp dport != 51820 redirect to 51820
>> 	}
>>
>> 	chain postrouting {
>> 		type nat hook postrouting priority 0;
>> 	}
>> }
>>
>> However as you can see in the comments, this does not work with
>> wireguard, however it does work with SSH.
>>
>> I can see that wireguard is kernel space, and ssh user space, but does
>> that cause the netfilter part to be skipped or am I doing some silly
>> mistake here?
>>
>> Best regards,
>>
>> Nico
>>
>>
>> --
>> Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard


--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard