wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* match on wg packets and redirect
@ 2018-11-04  9:09 Adrian Sevcenco
  2018-11-04  9:55 ` Matthias Urlichs
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Adrian Sevcenco @ 2018-11-04  9:09 UTC (permalink / raw)
  To: wireguard

Hi! Is there a way to use iptables to match wireguard packets incoming 
on 443 and the redirect them to the actual port?

In many hotels/hostels and other free wifi it seems that only 80+443 is 
allowed but amazingly both tcp and udp...

Thank you!
Adrian
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: match on wg packets and redirect
@ 2018-11-05 14:22 Saeid Akbari
  0 siblings, 0 replies; 8+ messages in thread
From: Saeid Akbari @ 2018-11-05 14:22 UTC (permalink / raw)
  To: Adrian Sevcenco; +Cc: wireguard

Hi,

I understand you're multiplexing kind of thought (like sslh), so I did some 
experiments with u32 module, and came up on this:

iptables -t nat -A PREROUTING -i eth0 \! -f -p udp \! --dport 51820 -m length 
--length 176 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x1000000" -j DNAT --to-
destination :51820

I tested it on a server and it worked as expected. this way I intercept all 
wireguard initiator messages on all udp ports and redirect them to the 
listening (real) port of wireguard (51820); and because of DNAT, all follow-up 
packets get through as well. however, I didn't try having any other udp port 
open to test the actual "multiplexing". there is only packet length and first 4 
bytes of udp payload check wich correspond to wireguard's initiator message 
(type 1).

Hope this would be useful to some people :))

P.S: I know that you don't need this stuff for your use case (there is no 
other udp port open on 443), but I thought it might be interesting to you.


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2018-11-05 14:26 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-04  9:09 match on wg packets and redirect Adrian Sevcenco
2018-11-04  9:55 ` Matthias Urlichs
2018-11-04 11:41 ` Kalin KOZHUHAROV
2018-11-04 13:46   ` Adrian Sevcenco
2018-11-04 13:56     ` Matthias Urlichs
2018-11-04 15:14 ` Jason A. Donenfeld
2018-11-04 15:29   ` Jason A. Donenfeld
2018-11-05 14:22 Saeid Akbari

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).