search

mitmproxy / mitmproxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
https://mitmproxy.org
MIT License
36.42k stars 4.01k forks source link

Wireguard mode with MITM with docker container doesn't work #6882

Closed a4501150 closed 4 months ago

a4501150 commented 4 months ago

Problem Description

Wireguard client unable to connect to proxy server when MITM is running with docker.

Steps to reproduce the behavior:

  1. Run docker mitmproxy docker container as follows: docker run --rm -it --expose 8081 --expose 51820 -v $(pwd):/workspace -p 51820:51820 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0 --setblock_global=false--set listen_host=0.0.0.0 --mode wireguard

The the following output should be there:

[23:52:52.154] ------------------------------------------------------------
[Interface]
PrivateKey = Ezl/k4Batuhcta/7lrPdmxreegWrGkjUXOzBUrfzYEY=
Address = 10.0.0.1/32
DNS = 10.0.0.53

[Peer]
PublicKey = OEEz0S8dgVcs+yZ+QvGSzLgeMB/nbGh7U2ud9YrJyGk=
AllowedIPs = 0.0.0.0/0
Endpoint = 0.0.0.0:51820
------------------------------------------------------------
[23:52:52.154] WireGuard server listening at *:51820.
[23:52:52.155] Web server listening at http://0.0.0.0:8081/
[23:52:52.212] No web browser found. Please open a browser and point it to http://0.0.0.0:8081/
  1. Confirm that we can access the WebServer at 127.0.0.1:8081 on host
  2. But when we gonna connect the WireGuard server with another device under same LAN, it just doesn't work.

System Information

mhils commented 4 months ago

WireGuard runs over UDP, so I guess that requires some special treatment: https://stackoverflow.com/questions/27596409/how-do-i-publish-a-udp-port-on-docker

In either case, this is very likely Docker idiosyncrasies and not a mitmproxy bug.

a4501150 commented 4 months ago

Hey @mhils thanks for quick reference,

after change to docker run --rm -it -v $(pwd):/workspace -p 51820:51820/udp -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0 --set block_global=false --set listen_host=0.0.0.0 --mode wireguard -s /workspace/response.py

then got this error in console output:

Failed to process a WireGuard handshake packet: InvalidAeadTag

I still guess it is something related to how wireguard server in mitm handling the udp is somehow not correct when running under docker

sujaldev commented 4 months ago

Do try running it without your script, perhaps it is responsible for causing this issue.

a4501150 commented 4 months ago

the script is working fine when running directly

sujaldev commented 4 months ago

I see, but have you tried running without the script in the container?

a4501150 commented 4 months ago

Yes it's the same error @sujaldev

a4501150 commented 4 months ago

I believe it's the error with the private key validations

https://docs.rs/boringtun/latest/src/boringtun/noise/handshake.rs.html

image
sujaldev commented 4 months ago

Try adding --set confdir=/root/.mitmproxy to the mitmweb command and add make your config persist by adding this to your docker command -v $(pwd)/.mitmproxy:/root/.mitmproxy/ (or use home if you prefer that), like so:

docker run --rm -it -v $(pwd):/workspace -v $(pwd)/.mitmproxy:/root/.mitmproxy/ -p 51820:51820/udp -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0 --set block_global=false --set listen_host=0.0.0.0 --mode wireguard -s /workspace/response.py --set confdir=/root/.mitmproxy

And then update your client with the new config.