I try to use Wireguard on a firewall with VRRP (based on Keepalived). The firewall blocks all the communications except to the VRRP address on port 51820 and the valid established connections.
Wireguard works well if I don't use VRRP.
When I try to use VRRP, the packet from client go to VRRP address as attended. But Wireguard try to reply from the physical IP address (and not the VRRP one), which is blocked on OUTPUT by the firewall as the IP change.
Do you know how Wireguard should be configured to reply by the VRRP address and not the physical one ?
I would not allow to answer by the physical IP address as clients firewall may block the connection if they do connection tracking too.
I try to see if a SNAT can help, to rewrite the physical IP to VRRP one, but it is not allowed put it in OUTPUT or PREROUTING nat rules.
Some logs : on the client (IP 10.3.3.2) :
11:41:09.011209 IP 10.3.3.2.47755 > 10.3.3.254.51820: UDP, length 148
11:41:14.131337 IP 10.3.3.2.47755 > 10.3.3.254.51820: UDP, length 148
on the firewall (10.3.3.252 physical, 10.3.3.254 VRRP) :
Jan 12 11:41:09 FW-DEV1 kernel: [ 3950.406083] OUTPUT: IN= OUT=enp0s9 SRC=10.3.3.252 DST=10.3.3.2 LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=7125 PROTO=UDP SPT=51820 DPT=47755 LEN=100
Jan 12 11:41:14 FW-DEV1 kernel: [ 3955.526617] OUTPUT: IN= OUT=enp0s9 SRC=10.3.3.252 DST=10.3.3.2 LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=7878 PROTO=UDP SPT=51820 DPT=47755 LEN=100
Edit: Add NAT
I put a NAT on VRRP interface and it almost solve the issue.
iptables -t nat -A PREROUTING -d WGIP/32 -p udp -m udp --dport 51820 -j DNAT --to-destination PHYSICALIP
But I need to open the filter rule with the PhysicalIP address. It means that the VRRP and the PHYSICALIP are open from outside. I cannot put a DROP rule before the nat rule to forbid the connection except to VRRPIP
0 Answers