mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-08 13:03:32 +02:00
9cc0b029ac
* Fix VPN traffic routing issue with iptables NAT rules The MASQUERADE rules had policy matching (-m policy --pol none --dir out) which was preventing both WireGuard AND IPsec traffic from being NAT'd properly. This policy match was incorrect and broke internet routing for all VPN clients. The confusion arose because: - IPsec FORWARD rules check for --pol ipsec (encrypted traffic) - But POSTROUTING happens AFTER decryption, so packets no longer have policy - The --pol none match was blocking these decrypted packets from NAT Changes: - Removed policy matching from both IPsec and WireGuard NAT rules - Both VPN types now use simple source-based NAT rules - Applied to both IPv4 and IPv6 rule templates This fixes the issue where VPN clients (both WireGuard and IPsec) could connect but not route traffic to the internet. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove unnecessary policy matching from iptables rules The policy matching (-m policy --pol none) was causing routing issues for both WireGuard and IPsec VPN traffic. This was based on a misunderstanding of how iptables processes VPN traffic: 1. FORWARD chain: IPsec needs --pol ipsec to identify encrypted traffic, but WireGuard doesn't need any policy match (it's not IPsec) 2. POSTROUTING NAT: Both VPN types see decrypted packets here, so policy matching is unnecessary and was blocking NAT Changes: - Removed policy matching from all NAT rules (both VPN types) - Removed policy matching from WireGuard FORWARD rules - Kept policy matching only for IPsec FORWARD (where it's needed) - Added comprehensive unit tests to prevent regression This fully fixes VPN routing for both WireGuard and IPsec clients. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python linting issues in iptables test file Fixed all ruff linting issues: - Removed unused yaml import - Fixed import sorting (pathlib before third-party imports) - Removed trailing whitespace from blank lines - Added newline at end of file All tests still pass after formatting fixes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| client | ||
| cloud-azure | ||
| cloud-cloudstack/tasks | ||
| cloud-digitalocean/tasks | ||
| cloud-ec2 | ||
| cloud-gce/tasks | ||
| cloud-hetzner/tasks | ||
| cloud-lightsail | ||
| cloud-linode | ||
| cloud-openstack/tasks | ||
| cloud-scaleway | ||
| cloud-vultr/tasks | ||
| common | ||
| dns | ||
| local/tasks | ||
| privacy | ||
| ssh_tunneling | ||
| strongswan | ||
| wireguard | ||