[ANNOUNCE] WireGuard Snapshot `0.0.20191206` Available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, A new snapshot, `0.0.20191206`, has been tagged in the git repository. Please note that this snapshot is a snapshot rather than a final release that is considered secure and bug-free. WireGuard is generally thought to be fairly stable, and

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

Looks like an arch problem or a libnftnl problem. I've made a minimal reproducer: printf '*filter\nCOMMIT\n*raw\nCOMMIT\n*mangle\nCOMMIT\n' | sudo iptables-nft-restore -n I filed a bug report on Arch: https://bugs.archlinux.org/task/64755 You can follow up with them.

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On 06.12.2019 18:18, Jason A. Donenfeld wrote: But for the sake of wg-quick the filter can be enables for wireguard interface only to be sure it wouldn't break anything else How do you propose this works? That'd require adding -d, right? In that case we're back to more or less the original

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On 06.12.2019 19:12, Jordan Glover wrote: But nft rule won't be visible from iptables tools like iptables-save, right? This may be confusing for people who still use iptables for setting up firewall on their systems. Right. And for those using NFT, they will see a strange rule in their

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

On Friday, December 6, 2019 3:52 PM, Jason A. Donenfeld wrote: > On Fri, Dec 6, 2019 at 4:36 PM Jordan Glover > golden_mille...@protonmail.ch wrote: > > > iptables is from Arch Linux iptables-nft package: > > $ iptables --version > > iptables v1.8.3 (nf_tables) > > Does the segfault happen with

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On Friday, December 6, 2019 4:03 PM, Vasili Pupkin wrote: > On 06.12.2019 18:08, Jason A. Donenfeld wrote: > > > On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover > > golden_mille...@protonmail.ch wrote: > > > > > On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld ja...@zx2c4.com > > > wrote:

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On 06.12.2019 18:08, Jason A. Donenfeld wrote: On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover wrote: On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld wrote: If we can make nft coexistance work reliably, perhaps we can run the nft rule on systems where the nft binary simply exists.

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

On Fri, Dec 6, 2019 at 4:36 PM Jordan Glover wrote: > iptables is from Arch Linux iptables-nft package: > > $ iptables --version > iptables v1.8.3 (nf_tables) Does the segfault happen with the latest version in the git repo? https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/linux.bash

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

On Friday, December 6, 2019 3:20 PM, Jason A. Donenfeld wrote: > On Fri, Dec 6, 2019 at 4:11 PM Jordan Glover > golden_mille...@protonmail.ch wrote: > > > Hi, this release cause coredump on wg-quick down action: > > systemd[1]: Stopping WireGuard via wg-quick(8) for wg0... > > wg-quick[2241]:

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

On Fri, Dec 6, 2019 at 4:11 PM Jordan Glover wrote: > > On Thursday, December 5, 2019 10:55 AM, Jason A. Donenfeld > wrote: > > > Hello, > > > > A new snapshot, `0.0.20191205`, has been tagged in the git repository. > > > > Please note that this snapshot is a snapshot rather than a final > >

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Hi Vasili, On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin wrote: > I've just figured out that the same effect can also be achieved with > iptables: > iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type > LOCAL -j DROP Neat trick, but it still requires this to run on all

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20191205` Available

On Thursday, December 5, 2019 10:55 AM, Jason A. Donenfeld wrote: > Hello, > > A new snapshot, `0.0.20191205`, has been tagged in the git repository. > > Please note that this snapshot is a snapshot rather than a final > release that is considered secure and bug-free. WireGuard is generally >

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover wrote: > > On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld > wrote: > > > > > If we can make nft coexistance work reliably, perhaps we can run the > > nft rule on systems where the nft binary simply exists. > > > > Will this work correctly

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Hi all, So the nft rule worked flawlessly on our Ubuntu machines, but I'm having trouble applying the rule in Manjaro (undoubtedly user error). I'll try again on some different machines in the lab. Addressing zrm's question about carrying out the first two parts of the attack with rp_filter is

Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"

On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld wrote: > > If we can make nft coexistance work reliably, perhaps we can run the > nft rule on systems where the nft binary simply exists. > Will this work correctly on systems where nft binary exist but only iptables rules are used?