Closed boss1819 closed 11 months ago
It is tricky to do it with iptables along. Better set up two wg listen on separated ports. Then apply iptables rules to the port serves client A.
In case anyone else is trying to do this, this can be done using connmarks:
WGOBFS_KEY="supersecretkey"
WGOBFS_PORT=12345
WG_PORT=51820
# Mark packets from wgobfs port
iptables -t mangle -A PREROUTING -p udp -m udp --dport $WGOBFS_PORT -j CONNMARK --set-mark=123
# Deobfuscate packets
iptables -t mangle -A PREROUTING -p udp -m udp --dport $WGOBFS_PORT -j WGOBFS --key $WGOBFS_KEY --unobfs
# Redirect them to wireguard port
iptables -t nat -A PREROUTING -p udp -m udp --dport $WGOBFS_PORT -j REDIRECT --to-port $WG_PORT
# Obfuscate packets back
iptables -t mangle -A OUTPUT -m connmark --mark 123 -j WGOBFS --key $WGOBFS_KEY --obfs
The script is self-explanatory. It's not so complicated, but it indeed was a bit tricky to come up with and debug. Anyway, hope this helps.
Hi,
if you have 2 clients, client A behind the firewall and need to use xt_wgobfs to connect to the server, client B connects from a loaction where wireguard connection from client to server is not blocked.
what should be the iptables configuration on the server, to selectively apply obfs and unobfs only to traffic from client A? any smart iptable rule that can do, assuming client IP address is not static?
if server has iptables configured as described in readme, but client B does not use xt_wgobfs, will the traffic be dropped?
thanks and regards