match on wg packets and redirect

Saeid Akbari saeidscorp at
Mon Nov 5 15:22:06 CET 2018


I understand you're multiplexing kind of thought (like sslh), so I did some 
experiments with u32 module, and came up on this:

iptables -t nat -A PREROUTING -i eth0 \! -f -p udp \! --dport 51820 -m length 
--length 176 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x1000000" -j DNAT --to-
destination :51820

I tested it on a server and it worked as expected. this way I intercept all 
wireguard initiator messages on all udp ports and redirect them to the 
listening (real) port of wireguard (51820); and because of DNAT, all follow-up 
packets get through as well. however, I didn't try having any other udp port 
open to test the actual "multiplexing". there is only packet length and first 4 
bytes of udp payload check wich correspond to wireguard's initiator message 
(type 1).

Hope this would be useful to some people :))

P.S: I know that you don't need this stuff for your use case (there is no 
other udp port open on 443), but I thought it might be interesting to you.

More information about the WireGuard mailing list