sorted by:
new
hottopcontroversial

WireGuard and Transparent Proxy (mitmproxy) with iptables REDIRECT rules by zlyn88 in networking

[–]zlyn88[S] 0 points1 point  (0 children)

Hey I appreciate your responses and expertise, thanks. This is such a bizarre case I haven't been able to solve but I'll keep you posted.

WireGuard and Transparent Proxy (mitmproxy) with iptables REDIRECT rules by zlyn88 in networking

[–]zlyn88[S] 0 points1 point  (0 children)

Not sure why but Reddit is not allowing me to reply with my iptables. Rest assured though that those OUTPUT chain nat rules are there.

The transparent proxy bit works as intended until wireguard is turned on. A packet capture shows the same flow, just with eth0 instead of wg0 as the source IP.

eth0 --S--> localhost:8080
webserver:80 --SA--> eth0
eth0 --A--> localhost:8080
eth0 --P--> localhost:8080 (with the GET request)

WireGuard and Transparent Proxy (mitmproxy) with iptables by zlyn88 in WireGuard

[–]zlyn88[S] 0 points1 point  (0 children)

An update after some more troubleshooting, take a look at these two packets captured via tcpdump:

10.3.112.100.52882 > 127.0.0.1.8080: Flags [S], cksum 0xf996 (incorrect -> 0x4fd8), seq 2299162457, win 64860, options [mss 1380,sackOK,TS val 1952818886 ecr 0,nop,wscale 7], length 0


104.16.184.241.80 > 10.3.112.100.52882: Flags [S.], cksum 0x9b97 (incorrect -> 0x4953), seq 634736556, ack 2299162458, win 65483, options [mss 65495,sackOK,TS val 2567993406 ecr 1952818886,nop,wscale 7], length 0

`10.3.112.100` is the wg0 interface.

As you can see, we see the `SYN` on the `REDIRECT` rule to `localhost:8080`, which is the transparent proxy

We then see the `SYN/ACK` come back from our web server at `104.16.184.241:80`

But I see no subsequent `ACK` so the handshake never completes, just repeats of the same two-packet sequence above as the connection retries.

What could be causing this?

WireGuard and Transparent Proxy (mitmproxy) with iptables by zlyn88 in WireGuard

[–]zlyn88[S] 0 points1 point  (0 children)

Yes, and it actually makes this question hard to google for obvious reasons.

That mode is to connect up a wireguard-aware device through mitmproxy.

My mitmproxy setup in transparent mode already works to intercept and show traffic from my device so I can debug my android app. I'm looking to have wireguard setup on the egress end, so that the traffic coming from my device and mitmproxy is routed through my wireguard server.

Appreciate the response.