WireGuard Archive on lore.kernel.org
 help / Atom feed
* match on wg packets and redirect
@ 2018-11-04  9:09 Adrian Sevcenco
  2018-11-04  9:55 ` Matthias Urlichs
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Adrian Sevcenco @ 2018-11-04  9:09 UTC (permalink / raw)
  To: wireguard

Hi! Is there a way to use iptables to match wireguard packets incoming 
on 443 and the redirect them to the actual port?

In many hotels/hostels and other free wifi it seems that only 80+443 is 
allowed but amazingly both tcp and udp...

Thank you!
Adrian
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04  9:09 match on wg packets and redirect Adrian Sevcenco
@ 2018-11-04  9:55 ` Matthias Urlichs
  2018-11-04 11:41 ` Kalin KOZHUHAROV
  2018-11-04 15:14 ` Jason A. Donenfeld
  2 siblings, 0 replies; 8+ messages in thread
From: Matthias Urlichs @ 2018-11-04  9:55 UTC (permalink / raw)
  To: wireguard

On 04.11.18 10:09, Adrian Sevcenco wrote:
> Hi! Is there a way to use iptables to match wireguard packets incoming
> on 443 and the redirect them to the actual port?

Just configure wireguard to use port 443 …

-- 
-- Matthias Urlichs

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04  9:09 match on wg packets and redirect Adrian Sevcenco
  2018-11-04  9:55 ` Matthias Urlichs
@ 2018-11-04 11:41 ` Kalin KOZHUHAROV
  2018-11-04 13:46   ` Adrian Sevcenco
  2018-11-04 15:14 ` Jason A. Donenfeld
  2 siblings, 1 reply; 8+ messages in thread
From: Kalin KOZHUHAROV @ 2018-11-04 11:41 UTC (permalink / raw)
  To: adrian.sev; +Cc: WireGuard mailing list

On Sun, Nov 4, 2018 at 10:10 AM Adrian Sevcenco <adrian.sev@gmail.com> wrote:
>
> Hi! Is there a way to use iptables to match wireguard packets incoming
> on 443 and the redirect them to the actual port?
>
> In many hotels/hostels and other free wifi it seems that only 80+443 is
> allowed but amazingly both tcp and udp...
>
Should be, just don't try to match "wg packets", match instead your
(other) endpoint IP address and port.

And why would you even need to do that?
If you have an endpoint (in cloud, home, etc.) with address 1.2.3.4
and port 443, just connect to that, no iptables should be needed.

And you can still use the same ip to host a https website (it uses tcp) :^D

Cheers,
Kalin.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04 11:41 ` Kalin KOZHUHAROV
@ 2018-11-04 13:46   ` Adrian Sevcenco
  2018-11-04 13:56     ` Matthias Urlichs
  0 siblings, 1 reply; 8+ messages in thread
From: Adrian Sevcenco @ 2018-11-04 13:46 UTC (permalink / raw)
  To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list

On 11/04/2018 01:41 PM, Kalin KOZHUHAROV wrote:
> On Sun, Nov 4, 2018 at 10:10 AM Adrian Sevcenco <adrian.sev@gmail.com> wrote:
>>
>> Hi! Is there a way to use iptables to match wireguard packets incoming
>> on 443 and the redirect them to the actual port?
>>
>> In many hotels/hostels and other free wifi it seems that only 80+443 is
>> allowed but amazingly both tcp and udp...
>>
> Should be, just don't try to match "wg packets", match instead your
> (other) endpoint IP address and port.
> 
> And why would you even need to do that?
> If you have an endpoint (in cloud, home, etc.) with address 1.2.3.4
> and port 443, just connect to that, no iptables should be needed.
so, the scenario is connecting laptop over free wifi to my server.
most often free wifi block anything other than 80 and 443
on my endpoint i have beside http(s) also ssh (multiplexed through sslh)

so, i would like to redirect (in raw/prerouting) the incoming wg packets 
from 443 to actual wg listening port .. but first i would need to match them

> And you can still use the same ip to host a https website (it uses tcp) :^D
well, yes, but this endpoint is already setup and used by other 
connections and i would like to keep it like that..

and now, that i took the time to answer the email i realize that i can 
always start a second endpoint on 443 :)))

So, thank you! :)
Adrian

> 
> Cheers,
> Kalin.
> 

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04 13:46   ` Adrian Sevcenco
@ 2018-11-04 13:56     ` Matthias Urlichs
  0 siblings, 0 replies; 8+ messages in thread
From: Matthias Urlichs @ 2018-11-04 13:56 UTC (permalink / raw)
  To: wireguard

On 04.11.18 14:46, Adrian Sevcenco wrote:
> so, i would like to redirect (in raw/prerouting) the incoming wg
> packets from 443 to actual wg listening port

Simply set your WG listening port to 443.

There's nothing else that sends UDP packets to port 443, so why would
you need to match anything?

If you really want to use two ports,

iptables -t nat -I PREROUTING -p udp --dport 443 -i
YOUR_EXTERNAL_INTERFACE -d YOUR_PUBLIC_IP -j REDIRECT --to-ports
YOUR_REAL_WG_PORT

should work. Or you could set up a separate WG interface.

-- 
-- Matthias Urlichs

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04  9:09 match on wg packets and redirect Adrian Sevcenco
  2018-11-04  9:55 ` Matthias Urlichs
  2018-11-04 11:41 ` Kalin KOZHUHAROV
@ 2018-11-04 15:14 ` Jason A. Donenfeld
  2018-11-04 15:29   ` Jason A. Donenfeld
  2 siblings, 1 reply; 8+ messages in thread
From: Jason A. Donenfeld @ 2018-11-04 15:14 UTC (permalink / raw)
  To: Adrian Sevcenco; +Cc: wireguard

On Sun, Nov 04, 2018 at 11:09:03AM +0200, Adrian Sevcenco wrote:
> Hi! Is there a way to use iptables to match wireguard packets incoming 
> on 443 and the redirect them to the actual port?

iptables -t nat -A PREROUTING -p udp --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
  2018-11-04 15:14 ` Jason A. Donenfeld
@ 2018-11-04 15:29   ` Jason A. Donenfeld
  0 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2018-11-04 15:29 UTC (permalink / raw)
  To: Adrian Sevcenco; +Cc: wireguard


On Sun, Nov 04, 2018 at 04:14:25PM +0100, Jason A. Donenfeld wrote:
> On Sun, Nov 04, 2018 at 11:09:03AM +0200, Adrian Sevcenco wrote:
> > Hi! Is there a way to use iptables to match wireguard packets incoming 
> > on 443 and the redirect them to the actual port?
> 
> iptables -t nat -A PREROUTING -p udp --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820

Er, sorry, slightly better is below:

iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 80,443,53,67,68,546,547,10000,4500,123,161,5223 -j REDIRECT --to-ports 51820

You might also just remove "-m multiport --dports ..." all together, and
have it accept _any_ incoming UDP packet, which could be handy.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: match on wg packets and redirect
@ 2018-11-05 14:22 Saeid Akbari
  0 siblings, 0 replies; 8+ messages in thread
From: Saeid Akbari @ 2018-11-05 14:22 UTC (permalink / raw)
  To: Adrian Sevcenco; +Cc: wireguard

Hi,

I understand you're multiplexing kind of thought (like sslh), so I did some 
experiments with u32 module, and came up on this:

iptables -t nat -A PREROUTING -i eth0 \! -f -p udp \! --dport 51820 -m length 
--length 176 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x1000000" -j DNAT --to-
destination :51820

I tested it on a server and it worked as expected. this way I intercept all 
wireguard initiator messages on all udp ports and redirect them to the 
listening (real) port of wireguard (51820); and because of DNAT, all follow-up 
packets get through as well. however, I didn't try having any other udp port 
open to test the actual "multiplexing". there is only packet length and first 4 
bytes of udp payload check wich correspond to wireguard's initiator message 
(type 1).

Hope this would be useful to some people :))

P.S: I know that you don't need this stuff for your use case (there is no 
other udp port open on 443), but I thought it might be interesting to you.


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-04  9:09 match on wg packets and redirect Adrian Sevcenco
2018-11-04  9:55 ` Matthias Urlichs
2018-11-04 11:41 ` Kalin KOZHUHAROV
2018-11-04 13:46   ` Adrian Sevcenco
2018-11-04 13:56     ` Matthias Urlichs
2018-11-04 15:14 ` Jason A. Donenfeld
2018-11-04 15:29   ` Jason A. Donenfeld
2018-11-05 14:22 Saeid Akbari

WireGuard Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox