Netfilter redirect does not work with wireguard
Nico Schottelius
nico.schottelius at ungleich.ch
Thu Nov 7 17:38:42 CET 2019
Hello,
I am experimenting with nft / netfilter redirects to support wireguard
packets on *any* udp port. I tried using the following configuration for
nftables:
[17:34:14] vpn-2a0ae5c1:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
# SSH works
tcp dport != 22 redirect to 22
# wireguard doesn't
udp dport != 51820 redirect to 51820
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
However as you can see in the comments, this does not work with
wireguard, however it does work with SSH.
I can see that wireguard is kernel space, and ssh user space, but does
that cause the netfilter part to be skipped or am I doing some silly
mistake here?
Best regards,
Nico
--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
More information about the WireGuard
mailing list