Transparent proxy does not work with wireguard

minty · February 23, 2025, 2:53pm

I am currently in the area where Tor is censored. Previously I used for avoiding censorship openvpn before tor. I also used transparent proxy for certain user by this guide.

Now openvpn is banned by proto too. So I switched to AmneziaWG VPN proto. The problem is, AmneziaWG, also as vanilla WireGuard uses nftables during opening a tunnel, so it breaks iptables rules which make transparent proxy work. Tor itself works ok, only transparent proxy breaks.

I suspect, there is especially that rule what fails to append:
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040

Can anyone help me with fixing that issue? Maybe, rewrite that rule for nftables?

excurso · February 24, 2025, 7:49am

Use iptables-translate to translate the iptables rule to nft rule.

iptables-translate -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040

Felix · February 24, 2025, 7:51am

Hi
I don’t know your network topology and ip4 usage. But taking a brief look on the guide you mention plus your suspicion: That rule forwards any tcp to 9040.

Could

iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 904

or

iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040

be useful?

The first excludes lo and the latter respects the destination address.
I hope to not confuse everyone reading, my home is BSD with PF.

–
Cheers

minty · February 26, 2025, 4:01pm

Just iptables-translate not worked for me, but it worked when I added rules to iptables, then exported it from nftables. Now nftables rules look such way.

# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		oifname != "lo" meta l4proto tcp skuid 1000  counter packets 0 bytes 0 redirect to :9040
		oifname != "lo" meta l4proto udp skuid 1000 udp dport 53 counter packets 0 bytes 0 redirect to :53
	}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		meta l4proto tcp skuid 1000 tcp dport 9040 counter packets 0 bytes 0 accept
		meta l4proto udp skuid 1000 udp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" skuid 1000 counter packets 0 bytes 0 drop
	}
}
table ip wg-quick-wg0 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "wg0" ip daddr 10.x.x.x fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}

When I removed line

  iifname != "wg0" ip daddr 10.x.x.x fib saddr type != local drop

everything started working as expected, meaning user id 1000 going through tor, and rest of users going through wireguard. But I’m afraid it would break killswitch, which preventing tor to be exposed to my ISP if my wireguard would break for some reason.

Have any suggestions?