Iptables WireGuard obfuscation extension

Wei Chen weichen302 at zoho.com
Sun Oct 2 23:13:22 UTC 2022

Hi Roman,

> The "Usage" section speaks of "server" and "client". However in the WG world
> there's not really a server or client per se, but all WG network members are
> peers. As such, is it possible to propose an universal set of iptables rules
> that would be fine to use on any network node?
> As I understand, all INPUT packets to our local --dport need to be --unobfs,
> and all OUTPUT packets from us to any other node need to be --obfs. Right?

Yes, you are right. Besides unobfs/obfs INPUT/OUTPUT chain for a local
WG installation, one can also use it on a Linux gateway, mangle the
FORWARD chain. I haven't test it but it should work.


More information about the WireGuard mailing list