1

I am using wg-quick to open a VPN connection. I can see the utility is setting some nft rules and I would like to understand them. I have moderate knowledge of iptables but none of nftables.

Here is the Wireguard config file:

[Interface]
PrivateKey = xxxxx
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = yyyyyyyy
AllowedIPs = 0.0.0.0/0
Endpoint = 185.159.157.129:51820

When I invoke wg-quick I see this:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.2.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63

Here is a dump of the nft rules:

table ip wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip daddr 10.2.0.2 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}

What do these nft rules mean, what are they for, and why are they needed?

Patrick
  • 65
  • 8

1 Answers1

1

1st rule blocks inbound access to 10.2.0.2 from other interfaces and non local scoped addresses. Only accept packets from IP addresses directly accessed via interfaces of your computer. This for security,

2nd and 3rd are connection marking rules for policy routing wireguard's traffic. They tightly coupled with routing rule

ip -4 rule add not fwmark 51820 table 51820

With this rule all inbound and outbound traffic not marked with 51820 routed via wg0.

But we need

  • outgoing packets from wireguard itself routed to endpoint (remote peer) via main route table and not into the wg0 tunnel via 51820 table and
  • incoming replies from remote wg peer routed to wireguard's process and not into the wg0 tunnel via 51820 table.

Wg marks their outgoing packets with 51820 value by iteslf by setting option with

wg set wg0 fwmark 51820

To distinguish incoming replie's packets from all other incoming packets we need to mark the whole wg's connections so we can restore same packet's mark for those incoming packets that "belongs" to these connections only.

3rd rule marks outgoing wireguard's connections wich packets have mark 51820 (0x0000ca6c in hex) with that mark so we can distinguish inbound replies of these connection with conntrack help.

2nd rule copies connection's mark back to packet's mark for all inbound packets.
So packets which are replies for outgoing wireguard's connections will have mark 51820 and will not routed into wg0 but routed to host itself.

Also https://stackoverflow.com/questions/65178004/what-does-ip-4-rule-add-table-main-suppress-prefixlength-0-meaning

Checkout where routing is happend: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

gapsf
  • 846
  • 1
  • 6
  • 12