Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Vasili Pupkin diggest at
Fri Dec 6 18:21:08 CET 2019

On 06.12.2019 18:18, Jason A. Donenfeld wrote:
>>   But for the sake of wg-quick
>> the filter can be enables for wireguard interface only to be sure it
>> wouldn't break anything else
> How do you propose this works? That'd require adding -d, right? In
> that case we're back to more or less the original rule. If you do it
> with -i, then it fails to filter the bad packets that we want to be
> filtering.

Actually it appears to be harder than I first think

The -d option will let broadcast addresses to pass the rule. Is it a 
problem here? In the original bulletin authors talk about TCP. Testing 
for interface name doesn't make much sense either, as you said...

More information about the WireGuard mailing list