Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Lonnie Abelbeck lists at
Sat Dec 7 21:51:40 CET 2019

> On Dec 6, 2019, at 9:18 AM, Jason A. Donenfeld <Jason at> wrote:
> Hi Vasili,
> On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest at> wrote:
>> I've just figured out that the same effect can also be achieved with
>> iptables:
>> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
> Neat trick, but it still requires this to run on all incoming packets
> from all interfaces, right? In other words, it enables a strong host
> model for the whole system instead of just with regards to addresses
> "owned" by the WireGuard interface. Adding support for the latter
> would get us back to the original rule we're using right now, right?

For what its worth, if some sort of basic firewall with conntrack is enabled, Step 1 of the attack is blocked with a "ctstate INVALID" rule.

Per testing in the lab, using attack "nping --tcp --flags SA ..."

For Example, VALID_CHK in the (external facing) INPUT and FORWARD chains:
-A VALID_CHK -m conntrack --ctstate INVALID -j DROP
for both iptables and ip6tables filter tables.

Is it common some sort of basic firewall with conntrack is not enabled ?


More information about the WireGuard mailing list