* match on wg packets and redirect @ 2018-11-04 9:09 Adrian Sevcenco 2018-11-04 9:55 ` Matthias Urlichs ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Adrian Sevcenco @ 2018-11-04 9:09 UTC (permalink / raw) To: wireguard Hi! Is there a way to use iptables to match wireguard packets incoming on 443 and the redirect them to the actual port? In many hotels/hostels and other free wifi it seems that only 80+443 is allowed but amazingly both tcp and udp... Thank you! Adrian _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 9:09 match on wg packets and redirect Adrian Sevcenco @ 2018-11-04 9:55 ` Matthias Urlichs 2018-11-04 11:41 ` Kalin KOZHUHAROV 2018-11-04 15:14 ` Jason A. Donenfeld 2 siblings, 0 replies; 8+ messages in thread From: Matthias Urlichs @ 2018-11-04 9:55 UTC (permalink / raw) To: wireguard On 04.11.18 10:09, Adrian Sevcenco wrote: > Hi! Is there a way to use iptables to match wireguard packets incoming > on 443 and the redirect them to the actual port? Just configure wireguard to use port 443 … -- -- Matthias Urlichs _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 9:09 match on wg packets and redirect Adrian Sevcenco 2018-11-04 9:55 ` Matthias Urlichs @ 2018-11-04 11:41 ` Kalin KOZHUHAROV 2018-11-04 13:46 ` Adrian Sevcenco 2018-11-04 15:14 ` Jason A. Donenfeld 2 siblings, 1 reply; 8+ messages in thread From: Kalin KOZHUHAROV @ 2018-11-04 11:41 UTC (permalink / raw) To: adrian.sev; +Cc: WireGuard mailing list On Sun, Nov 4, 2018 at 10:10 AM Adrian Sevcenco <adrian.sev@gmail.com> wrote: > > Hi! Is there a way to use iptables to match wireguard packets incoming > on 443 and the redirect them to the actual port? > > In many hotels/hostels and other free wifi it seems that only 80+443 is > allowed but amazingly both tcp and udp... > Should be, just don't try to match "wg packets", match instead your (other) endpoint IP address and port. And why would you even need to do that? If you have an endpoint (in cloud, home, etc.) with address 1.2.3.4 and port 443, just connect to that, no iptables should be needed. And you can still use the same ip to host a https website (it uses tcp) :^D Cheers, Kalin. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 11:41 ` Kalin KOZHUHAROV @ 2018-11-04 13:46 ` Adrian Sevcenco 2018-11-04 13:56 ` Matthias Urlichs 0 siblings, 1 reply; 8+ messages in thread From: Adrian Sevcenco @ 2018-11-04 13:46 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list On 11/04/2018 01:41 PM, Kalin KOZHUHAROV wrote: > On Sun, Nov 4, 2018 at 10:10 AM Adrian Sevcenco <adrian.sev@gmail.com> wrote: >> >> Hi! Is there a way to use iptables to match wireguard packets incoming >> on 443 and the redirect them to the actual port? >> >> In many hotels/hostels and other free wifi it seems that only 80+443 is >> allowed but amazingly both tcp and udp... >> > Should be, just don't try to match "wg packets", match instead your > (other) endpoint IP address and port. > > And why would you even need to do that? > If you have an endpoint (in cloud, home, etc.) with address 1.2.3.4 > and port 443, just connect to that, no iptables should be needed. so, the scenario is connecting laptop over free wifi to my server. most often free wifi block anything other than 80 and 443 on my endpoint i have beside http(s) also ssh (multiplexed through sslh) so, i would like to redirect (in raw/prerouting) the incoming wg packets from 443 to actual wg listening port .. but first i would need to match them > And you can still use the same ip to host a https website (it uses tcp) :^D well, yes, but this endpoint is already setup and used by other connections and i would like to keep it like that.. and now, that i took the time to answer the email i realize that i can always start a second endpoint on 443 :))) So, thank you! :) Adrian > > Cheers, > Kalin. > _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 13:46 ` Adrian Sevcenco @ 2018-11-04 13:56 ` Matthias Urlichs 0 siblings, 0 replies; 8+ messages in thread From: Matthias Urlichs @ 2018-11-04 13:56 UTC (permalink / raw) To: wireguard On 04.11.18 14:46, Adrian Sevcenco wrote: > so, i would like to redirect (in raw/prerouting) the incoming wg > packets from 443 to actual wg listening port Simply set your WG listening port to 443. There's nothing else that sends UDP packets to port 443, so why would you need to match anything? If you really want to use two ports, iptables -t nat -I PREROUTING -p udp --dport 443 -i YOUR_EXTERNAL_INTERFACE -d YOUR_PUBLIC_IP -j REDIRECT --to-ports YOUR_REAL_WG_PORT should work. Or you could set up a separate WG interface. -- -- Matthias Urlichs _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 9:09 match on wg packets and redirect Adrian Sevcenco 2018-11-04 9:55 ` Matthias Urlichs 2018-11-04 11:41 ` Kalin KOZHUHAROV @ 2018-11-04 15:14 ` Jason A. Donenfeld 2018-11-04 15:29 ` Jason A. Donenfeld 2 siblings, 1 reply; 8+ messages in thread From: Jason A. Donenfeld @ 2018-11-04 15:14 UTC (permalink / raw) To: Adrian Sevcenco; +Cc: wireguard On Sun, Nov 04, 2018 at 11:09:03AM +0200, Adrian Sevcenco wrote: > Hi! Is there a way to use iptables to match wireguard packets incoming > on 443 and the redirect them to the actual port? iptables -t nat -A PREROUTING -p udp --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820 _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect 2018-11-04 15:14 ` Jason A. Donenfeld @ 2018-11-04 15:29 ` Jason A. Donenfeld 0 siblings, 0 replies; 8+ messages in thread From: Jason A. Donenfeld @ 2018-11-04 15:29 UTC (permalink / raw) To: Adrian Sevcenco; +Cc: wireguard On Sun, Nov 04, 2018 at 04:14:25PM +0100, Jason A. Donenfeld wrote: > On Sun, Nov 04, 2018 at 11:09:03AM +0200, Adrian Sevcenco wrote: > > Hi! Is there a way to use iptables to match wireguard packets incoming > > on 443 and the redirect them to the actual port? > > iptables -t nat -A PREROUTING -p udp --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820 Er, sorry, slightly better is below: iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820 You might also just remove "-m multiport --dports ..." all together, and have it accept _any_ incoming UDP packet, which could be handy. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect @ 2018-11-05 14:22 Saeid Akbari 0 siblings, 0 replies; 8+ messages in thread From: Saeid Akbari @ 2018-11-05 14:22 UTC (permalink / raw) To: Adrian Sevcenco; +Cc: wireguard Hi, I understand you're multiplexing kind of thought (like sslh), so I did some experiments with u32 module, and came up on this: iptables -t nat -A PREROUTING -i eth0 \! -f -p udp \! --dport 51820 -m length --length 176 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x1000000" -j DNAT --to- destination :51820 I tested it on a server and it worked as expected. this way I intercept all wireguard initiator messages on all udp ports and redirect them to the listening (real) port of wireguard (51820); and because of DNAT, all follow-up packets get through as well. however, I didn't try having any other udp port open to test the actual "multiplexing". there is only packet length and first 4 bytes of udp payload check wich correspond to wireguard's initiator message (type 1). Hope this would be useful to some people :)) P.S: I know that you don't need this stuff for your use case (there is no other udp port open on 443), but I thought it might be interesting to you. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-11-05 14:26 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-11-04 9:09 match on wg packets and redirect Adrian Sevcenco 2018-11-04 9:55 ` Matthias Urlichs 2018-11-04 11:41 ` Kalin KOZHUHAROV 2018-11-04 13:46 ` Adrian Sevcenco 2018-11-04 13:56 ` Matthias Urlichs 2018-11-04 15:14 ` Jason A. Donenfeld 2018-11-04 15:29 ` Jason A. Donenfeld 2018-11-05 14:22 Saeid Akbari
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).