Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Jason A. Donenfeld Jason at zx2c4.com
Fri Dec 6 16:18:49 CET 2019


Hi Vasili,

On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest at gmail.com> wrote:
> I've just figured out that the same effect can also be achieved with
> iptables:
> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
> LOCAL -j DROP

Neat trick, but it still requires this to run on all incoming packets
from all interfaces, right? In other words, it enables a strong host
model for the whole system instead of just with regards to addresses
"owned" by the WireGuard interface. Adding support for the latter
would get us back to the original rule we're using right now, right?

>  But for the sake of wg-quick
> the filter can be enables for wireguard interface only to be sure it
> wouldn't break anything else

How do you propose this works? That'd require adding -d, right? In
that case we're back to more or less the original rule. If you do it
with -i, then it fails to filter the bad packets that we want to be
filtering.

Jason


More information about the WireGuard mailing list