Skip to main content

🚇 Outbound WireGuard

🏛️ Available in Ludus Enterprise

Setup

This feature routes range traffic out over a WireGuard tunnel specified in the range configuration. This can be useful for OPSEC, OSINT, or malware research.

While enabled, Ludus users can still interact directly VMs via RDP, SSH, etc via their Ludus WireGuard tunnel, and Ludus can still reach the VMs to configure them.

To enable this feature, specify the router item in your configuration and populate the outbound_wireguard_config and outbound_wireguard_vlans keys.

The AllowedIPs value in your WireGuard configuration should always be 0.0.0.0/0. Ludus does not support "split tunnel" WireGuard configurations for otubound Wireguard at this time. Please contact us if this feature is required in your environment.

range-config.yml
...
router:
  outbound_wireguard_config: |-
    [Interface]
    PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
    Address = 10.0.38.224/32
    DNS = 91.231.153.2, 192.211.0.2

    [Peer]
    PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
    AllowedIPs = 0.0.0.0/0
    Endpoint = my.wireguard.provider.net:51820
  outbound_wireguard_vlans: # Specify which VLANs should be routed over the WireGuard tunnel
    - 10
...
warning

IPv6 addresses in the Address or AllowedIPs fields are not supported

How does it work?

In order to route traffic over the WireGuard tunnel, the Linux (Debian) router marks packets from the outbound_wireguard_vlans (except those destined for 192.0.2.254 which is the Ludus host, or 198.51.100.0/24 which are client WireGuard addresses) using iptables. It then uses an ip rule to use a special outbound_wg routing table for these packets.

In the following example, the ens19 interface is the interface for VLAN 10 in outbound_wireguard_vlans.

Debian Routerens18ens19ens20wg0Routing TablesMain TableWG Table (fwmark 0x1)Default RouteInternetVLAN 10VLAN 99WireGuardTunnelLegendens18 (Internet)ens19 (VLAN 10)ens20 (VLAN 99)outbound_wg (WireGuard)Default Route

This is accomplished with 2 iptables rules in the MANGLE table's PREROUTING chain, and the modification of the NAT table's POSTROUTING rule for the user specified vlan's interfaces.

Normal MANGLE table PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Normal NAT table POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  146  8279 MASQUERADE  all  --  *      ens18   10.2.10.0/24        !198.51.100.0/24
    1    76 MASQUERADE  all  --  *      ens18   10.2.99.0/24        !198.51.100.0/24

After the outbound WireGuard tunnel is enabled:

Outbound WireGuard enabled for VLAN 10 MANGLE table PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       10.2.10.0/24         192.0.2.254
   11   646 MARK       all  --  *      *       10.2.10.0/24        !198.51.100.0/24      MARK set 0x1
Outbound WireGuard enabled for VLAN 10 NAT table POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  146  8279 MASQUERADE  all  --  *      outbound_wg   10.2.10.0/24        !198.51.100.0/24
    1    76 MASQUERADE  all  --  *      ens18   10.2.99.0/24        !198.51.100.0/24