Sending just ssh traffic via wg
Jason A. Donenfeld
Jason at zx2c4.com
Fri Oct 5 19:34:13 CEST 2018
On Fri, Oct 5, 2018 at 5:53 PM Konstantin Ryabitsev
<konstantin at linuxfoundation.org> wrote:
> > Any reason why you can't just do
> > ip rule add dport 22 lookup 2468
> Yeah, this works, too, and is quite a bit simpler. Jason, any reason why
> I wouldn't use this?
Definitely use that. A reason for preferring netfilter for this would
be if you're doing lots of crazier netfilter stuff as well and want
complex rules. But for just tcp:22 matching, Toke's suggestion is by
far the best. I imagine internally, the kernel can just look into
`struct flowi` during the route lookups and doen't need to do much
The one thing I'd change is you should add "ipproto tcp" to the
command so you don't match udp:22 as well.
> Every time there is a network blip, the admin loses their OpenVPN link
> and, if they don't re-establish it quickly enough (typing in their
> username, password, TOTP token value), then their ssh sessions reset.
> Quite possibly the worst thing to happen to an admin in the middle of
> troubleshooting something.
> Similarly, if there's an alert in the middle of the night that requires
> checking something out, it's annoying to have to first establish an
> OpenVPN connection before being able to ssh in to a system.
> So, we're working on a new setup where admins would have an always-on
> WireGuard connection to the infra, but that connection only allows ssh
> traffic. In this case, don't need 2-factor on the wireguard link, just
> packet encapsulation. But should the admin need to bring up the OpenVPN
> link for accessing something like an iDrac interface on a Dell, they
> need to be able to do this without needing to shut down their WireGuard
> tunnel first (since both WG and OpenVPN provide routing to the same
> internal ip ranges). Therefore, I was looking for a way to *only* send
> port 22 traffic on the wg link.
This seems like a reasonable and simple way of doing it. You could,
instead, make a little ssh wrapper that does the netns/vrf/cgroup
stuff if you wanted this at the process level, but probably the
heuristic of ssh==22 is a totally good and acceptable one that will be
less error prone.
By the way, hopefully as core development simmers down, I'll be able
to focus a bit more on infrastructure projects like adding 2FA on top
> The following achieves what we need:
> PrivateKey = [omitted]
> Address = [omitted]
> DNS = 127.0.0.1
> Table = 2468
> PostUp = ip rule add to 10.10.0.0/16 dport 22 lookup 2468
> PostDown = ip rule del to 10.10.0.0/16 dport 22 lookup 2468
> PublicKey = [omitted]
> AllowedIPs = 10.10.0.0/16
> Endpoint = [omitted]
> This achieves what we need *quite* nicely!
I've add this example to the wg-quick(8) man page:
More information about the WireGuard