match on wg packets and redirect
Saeid Akbari
saeidscorp at yahoo.com
Mon Nov 5 15:22:06 CET 2018
Hi,
I understand you're multiplexing kind of thought (like sslh), so I did some
experiments with u32 module, and came up on this:
iptables -t nat -A PREROUTING -i eth0 \! -f -p udp \! --dport 51820 -m length
--length 176 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x1000000" -j DNAT --to-
destination :51820
I tested it on a server and it worked as expected. this way I intercept all
wireguard initiator messages on all udp ports and redirect them to the
listening (real) port of wireguard (51820); and because of DNAT, all follow-up
packets get through as well. however, I didn't try having any other udp port
open to test the actual "multiplexing". there is only packet length and first 4
bytes of udp payload check wich correspond to wireguard's initiator message
(type 1).
Hope this would be useful to some people :))
P.S: I know that you don't need this stuff for your use case (there is no
other udp port open on 443), but I thought it might be interesting to you.
More information about the WireGuard
mailing list