I am currently in the area where Tor is censored. Previously I used for avoiding censorship openvpn before tor. I also used transparent proxy for certain user by this guide.
Now openvpn is banned by proto too. So I switched to AmneziaWG VPN proto. The problem is, AmneziaWG, also as vanilla WireGuard uses nftables during opening a tunnel, so it breaks iptables rules which make transparent proxy work. Tor itself works ok, only transparent proxy breaks.
I suspect, there is especially that rule what fails to append: iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
Can anyone help me with fixing that issue? Maybe, rewrite that rule for nftables?
Hi
I don’t know your network topology and ip4 usage. But taking a brief look on the guide you mention plus your suspicion: That rule forwards any tcp to 9040.
Could
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 904
Just iptables-translate not worked for me, but it worked when I added rules to iptables, then exported it from nftables. Now nftables rules look such way.
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain OUTPUT {
type nat hook output priority -100; policy accept;
oifname != "lo" meta l4proto tcp skuid 1000 counter packets 0 bytes 0 redirect to :9040
oifname != "lo" meta l4proto udp skuid 1000 udp dport 53 counter packets 0 bytes 0 redirect to :53
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain OUTPUT {
type filter hook output priority filter; policy accept;
meta l4proto tcp skuid 1000 tcp dport 9040 counter packets 0 bytes 0 accept
meta l4proto udp skuid 1000 udp dport 53 counter packets 0 bytes 0 accept
oifname != "lo" skuid 1000 counter packets 0 bytes 0 drop
}
}
table ip wg-quick-wg0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "wg0" ip daddr 10.x.x.x fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
When I removed line
iifname != "wg0" ip daddr 10.x.x.x fib saddr type != local drop
everything started working as expected, meaning user id 1000 going through tor, and rest of users going through wireguard. But I’m afraid it would break killswitch, which preventing tor to be exposed to my ISP if my wireguard would break for some reason.