10
9
Fork
You've already forked linux-app
14

Support strict reverse path filtering #682

Open
opened 2026年02月08日 14:18:10 +01:00 by ncf · 3 comments

Strict reverse path filtering is a security measure that drops incoming packets unless they would be routed out of same the interface they came in from. This is currently not compatible with eduVPN's routing, because incoming WireGuard packets are received on the WAN interface but would be routed through the WireGuard interface if the endpoint is included in AllowedIPs. As a result, the docs mention (here and here) that one should loosen reverse path filtering in environments where it is strict by default.

It would be nice to support strict reverse path filtering. wg-quick does this by saving the fwmark for WireGuard connections as the connection mark and restoring it for incoming packets. It then enables net.ipv4.conf.all.src_valid_mark so that the mark is taken into account for reverse path filtering. If one uses the rpfilter netfilter module instead, one can use --validmark to the same effect (NixOS enables this by default).

Maybe this is something to be fixed in NetworkManager directly.

Strict reverse path filtering is a security measure that drops incoming packets unless they would be routed out of same the interface they came in from. This is currently not compatible with eduVPN's routing, because incoming WireGuard packets are received on the WAN interface but would be routed through the WireGuard interface if the endpoint is included in AllowedIPs. As a result, the docs mention ([here](https://docs.eduvpn.org/client/linux/support.html#connecting-to-wireguard-vpn-over-ipv6-blocked-by-firewalld) and [here](https://docs.eduvpn.org/client/linux/installation.html#nixos)) that one should loosen reverse path filtering in environments where it is strict by default. It would be nice to support strict reverse path filtering. `wg-quick` [does this](https://github.com/WireGuard/wireguard-tools/blob/0b7d9821f2815973a2930ace28a3f73c205d0e5c/src/wg-quick/linux.bash#L238-L241) by saving the fwmark for WireGuard connections as the connection mark and restoring it for incoming packets. It then enables `net.ipv4.conf.all.src_valid_mark` so that the mark is taken into account for reverse path filtering. If one uses the rpfilter netfilter module instead, one can use `--validmark` to the same effect (NixOS enables this by default). Maybe this is something to be fixed in NetworkManager directly.
Author
Copy link

NetworkManager actually already does this if ip4/6-auto-default-route is enabled, but eduVPN does not enable that and sets up routing manually instead. It would be good to rely more on NetworkManager for this. If something cannot be done then changes should be made upstream.

NetworkManager actually [already does this](https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2158) if [`ip4/6-auto-default-route`](https://networkmanager.dev/docs/api/latest/settings-wireguard.html) is enabled, but eduVPN [does not enable that](https://codeberg.org/eduVPN/linux-app/src/commit/62b3a3538532b1b19a47648e60c9ffd367ef837c/eduvpn/nm.py#L599-L601) and sets up routing manually instead. It would be good to rely more on NetworkManager for this. If something cannot be done then changes should be made upstream.

we can't use NetworkManager's routing as it automatically adds a suppress_prefixlength 0 rule, which allows all non default route traffic from the main routing table. This is insecure as it does not protect against attacks like tunnelcrack/tunnelvision that abuse this behavior to bypass the VPN using DHCP static routes.

we can't use NetworkManager's routing as it automatically adds a suppress_prefixlength 0 rule, which allows all non default route traffic from the main routing table. This is insecure as it does not protect against attacks like tunnelcrack/tunnelvision that abuse this behavior to bypass the VPN using DHCP static routes.
Author
Copy link

Was this issue raised upstream? This seems like something that should be fixed in both NetworkManager and wg-quick, if it is really a security risk.

Was this issue raised upstream? This seems like something that should be fixed in both NetworkManager and wg-quick, if it is really a security risk.
Sign in to join this conversation.
No Branch/Tag specified
master
upstream-deb
openvpn-persistent
1.x
4.7.2
4.7.1
4.7.0
4.6.0
4.5.1
4.5.0
4.4.99.0
4.4.0
4.3.1
4.3.0
4.2.99.1
4.2.99.0
4.2.1
4.2.0
4.1.99.0
4.1.3
4.1.2
4.1.1
4.1.0
3.1.1
4.0.1
4.0.0
pr-3.3.1
pr-3.3.0
pr-3.2.0
3.1.0
3.0.0
2.2.1
2.2.0
2.1.0
2.0.0
1.1
1.0.3
1.0.2
1.0.1
1.0rc17
1.0rc16
1.0rc15
1.0rc14
1.0rc13
1.0rc12
1.0rc11
1.0rc10
1.0rc9
1.0rc8
1.0rc7
1.0rc6
1.0rc5
1.0rc4
1.0rc3
1.0rc2
1.0rc1
0.8
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5.1
0.5
0.3
0.2.1
0.2
0.1.1
0.1
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eduVPN/linux-app#682
Reference in a new issue
eduVPN/linux-app
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?