Re: Sending just ssh traffic via wg

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Konstantin Ryabitsev" <konstantin@linuxfoundation.org>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Sending just ssh traffic via wg
Date: Fri, 5 Oct 2018 19:34:13 +0200	[thread overview]
Message-ID: <CAHmME9oCrSogDHZh_+jzKHDs8ugqsgUUjrBqVx3P2OxLGmnA0g@mail.gmail.com> (raw)
In-Reply-To: <20181005155328.GB22501@puremoods>

Hey Konstantin,

On Fri, Oct 5, 2018 at 5:53 PM Konstantin Ryabitsev
<konstantin@linuxfoundation.org> wrote:
> > Any reason why you can't just do
> >
> > ip rule add dport 22 lookup 2468
>
> Yeah, this works, too, and is quite a bit simpler. Jason, any reason why
> I wouldn't use this?

Definitely use that. A reason for preferring netfilter for this would
be if you're doing lots of crazier netfilter stuff as well and want
complex rules. But for just tcp:22 matching, Toke's suggestion is by
far the best. I imagine internally, the kernel can just look into
`struct flowi` during the route lookups and doen't need to do much
subsequent parsing.

The one thing I'd change is you should add "ipproto tcp" to the
command so you don't match udp:22 as well.

> Every time there is a network blip, the admin loses their OpenVPN link
> and, if they don't re-establish it quickly enough (typing in their
> username, password, TOTP token value), then their ssh sessions reset.
> Quite possibly the worst thing to happen to an admin in the middle of
> troubleshooting something.
>
> Similarly, if there's an alert in the middle of the night that requires
> checking something out, it's annoying to have to first establish an
> OpenVPN connection before being able to ssh in to a system.
>
> So, we're working on a new setup where admins would have an always-on
> WireGuard connection to the infra, but that connection only allows ssh
> traffic. In this case, don't need 2-factor on the wireguard link, just
> packet encapsulation. But should the admin need to bring up the OpenVPN
> link for accessing something like an iDrac interface on a Dell, they
> need to be able to do this without needing to shut down their WireGuard
> tunnel first (since both WG and OpenVPN provide routing to the same
> internal ip ranges). Therefore, I was looking for a way to *only* send
> port 22 traffic on the wg link.

This seems like a reasonable and simple way of doing it. You could,
instead, make a little ssh wrapper that does the netns/vrf/cgroup
stuff if you wanted this at the process level, but probably the
heuristic of ssh==22 is a totally good and acceptable one that will be
less error prone.

By the way, hopefully as core development simmers down, I'll be able
to focus a bit more on infrastructure projects like adding 2FA on top
of wireguard.

> The following achieves what we need:
>
> [Interface]
> PrivateKey = [omitted]
> Address = [omitted]
> DNS = 127.0.0.1
> Table = 2468
> PostUp = ip rule add to 10.10.0.0/16 dport 22 lookup 2468
> PostDown = ip rule del to 10.10.0.0/16 dport 22 lookup 2468
>
> [Peer]
> PublicKey = [omitted]
> AllowedIPs = 10.10.0.0/16
> Endpoint = [omitted]
>
> This achieves what we need *quite* nicely!

I've add this example to the wg-quick(8) man page:
https://git.zx2c4.com/WireGuard/commit/?id=3e2f5495ea684d7f06fbefc50290e7d8985fc3de

Regards,
Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard