Open GANHONG1995 opened 5 years ago
and udp same?
From: Arnie97 <arnie97@gmail.com>
Date: Sat, 13 Jun 2020 15:51:28 +0800
Subject: [PATCH] allow all ports
---
filter.go | 37 +------------------------------------
1 file changed, 1 insertion(+), 36 deletions(-)
diff --git a/filter.go b/filter.go
index 6b54746..0cf4995 100644
--- a/filter.go
+++ b/filter.go
@@ -105,40 +105,5 @@ func (sf *portFilter) Filter(b []byte, d direction) (drop bool) {
if ip.Version() != 4 {
return true // No support for tunneling IPv6
}
+ return false
- if ip.Protocol() != tcp && ip.Protocol() != udp {
- return ip.Protocol() != icmp // Always allow ping
- }
- src, dst := transportPacket(ip.Body()).Ports()
- if sf.ports[src] && sf.ports[dst] {
- return false
- }
- switch d {
- case outbound:
- if sf.ports[src] && dst > 0 {
- // Check whether the destination port is somewhere we have received
- // an inbound packet from.
- ts := atomic.LoadUint64(&sf.inMap[dst])
- return timeNow()-ts >= expireTimeout
- }
- if sf.ports[dst] && src > 0 {
- // Allowed outbound packet, remember the source port so that inbound
- // traffic is allowed to hit that destination port.
- atomic.StoreUint64(&sf.outMap[src], timeNow())
- return false
- }
- case inbound:
- if sf.ports[src] && dst > 0 {
- // Check whether the destination port is somewhere we have sent
- // an outbound packet to.
- ts := atomic.LoadUint64(&sf.outMap[dst])
- return timeNow()-ts >= expireTimeout
- }
- if sf.ports[dst] && src > 0 {
- // Allowed inbound packet, remember the source port so that outbound
- // traffic is allowed to hit that destination port.
- atomic.StoreUint64(&sf.inMap[src], timeNow())
- return false
- }
- }
- return true
}
@Arnie97 this helped me out two years later. Thank you very much!
For anyone (or me) looking at this in the future: Compile the patched version on both sides. Keep the AllowedPorts string on the config, it doesn't matter what port to specify.
Why need this? We need access to all the ports if we're routing internet via the tunnel.
I recommend checking out https://tailscale.com/. It's free for personal users and does what this project does, but much better and with far more features.
Does tailscale use wg(8)
to configure the tunnel interfaces? I want to run it on a network where the UDP packets including the WireGuard header, which the header is constructed by wg(8)
, are blocked.
This is why I currently use your project here.
heh this seems to break for me slightly - connections just drop every n minutes or so. Doesn't happen if I just specify a big array of ports allowed (but that's not practical and sometimes a "bad one" gets hit)
hmmmmm
how can i Allowe Ports 1................65535? thanks