Wireguard sends packets with source port 1 when using second routing table

I have a small home server in my basement that’s connected to a router and my home network. As my cable ISP only offers public IPv6 addresses and IPv4 is behind a carrier grade NAT I bought myself a public IPv4 address using a OpenVPN connection to a third party. As the contract with the latter provider includes some traffic limitations I only want to route the “public” server traffic over the VPN connection. All in all, it looks like this:

-------------------------- | WG Host                | |------------------------| | eth0:  192.168.1.30    | <- dhcp, home network, default gateway | tun0:  214.144.203.5   | <- vpn with public ipv4 address, gw for public services | vmnet: 192.168.5.1     | <- virtual machines, server daemons | wg0:   192.168.10.1    | <- wireguard -------------------------- 

Most services I have are on the vmnet subnet, ssh (on port 110) and wireguard (on port 123) are supposed to run on the host. I have set up a second routing table and route all traffic with source ports like 80 or 443 over the VPN connection unless an internal client connects to the services, because I do not want to route all that traffic over the internet when in fact the server is right inside my home network. To be able to do this, I’ve come up with some rather complex iptables-rules:

iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE  # Always set source IP to VPN ip, so home network clients do not get confused iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 214.144.203.5 iptables -A POSTROUTING -t nat -p tcp --sport 443 -j SNAT --to 214.144.203.5  # public services, default gateway via vpn iptables -A PREROUTING -t mangle -p tcp --sport 80 -j MARK --set-mark 2 iptables -A PREROUTING -t mangle -p tcp --sport 443 -j MARK --set-mark 2  # Do the same for ssh & wireguard (123/udp) iptables -A OUTPUT -t mangle -p tcp --sport 22 ! -d 192.168.1.0 -j MARK --set-mark 2 iptables -A OUTPUT -t mangle -p udp --sport 123 ! -d 192.168.1.0 -j MARK --set-mark 2  ip rule add fwmark 2 table 2 ip route add default via 214.144.203.4 dev tun0 table 2 ip route add 192.168.5.0/24 dev vmnet table 2 ip route add 192.168.1.0/24 dev eth0 table 2 

This works pretty well for the vmnet services and ssh, but wireguard’s behavior seems to be a little bit strange: It works inside my home network, but when I try to reach it from the outside, it won’t work. When doing a tcpdump on tun0 I can observe that the client’s packets reach wireguard just fine. The answering packets are obviously sent on tun0, too (so routing seems to work). The strange thing is that Wireguard sets the source port of these packets to ‘1’. Unfortunately, they never reach the client. I suppose that is because the NATs in between don’t manage to match the (srcport,dstport) combination anymore.

Changing Input Source not working in some apps

I have a couple of Input Sources set up (Australian and Teknia Greek, the latter added into ~/Library/Keyboard Layouts). These work correctly in some apps (e.g. Chrome, TextMate), but in other apps (all Office apps, TextEdit, Notes) I am unable to use Teknia Greek. Even if this is selected while focused on another app, as soon as I focus back on one of these apps, the Input Source switches back to Australian. This only affects my MacBook Pro. My iMac has the same setup and works correctly. Both are running Mojave.

Java Source Code for Constrcuting Buchi Automata from LTL formulas [on hold]

I am looking for a java implementation of constructing nondeterministic B\”uchi automata from linear temporal logic formulas. I tested several ones, but none of them worked for me. For example:

1) LTL2BA4J, which is a java interface for LTL2BA implemented in C, does not work duo to that LTL2BA cannot be executed. Besides, I need something fully implemented in java.

Does SoapUI Open Source 5.4.0 require that you upgrade to the Pro version for HTTP Monitor proxy with SSL?

When I have the HTTP Proxy radio button selected instead of the HTTP Tunnel one, all of the text boxes on the Security tab are disabled, and I can’t set an endpoint for the HTTP Tunnel

I don’t particularly want to set it as a global proxy either.

enter image description here

enter image description here

Do I have to register to get that functionality? Or is a “Tunnel” defined here as just a proxy with encryption? I’ve used Stunnel before on Linux to do something similar (actually it was so that I could connect to webmin when it was bound to the loopback).

I have a small Open Source project I’d like reviewed

Is this the proper place? It’s a node.js module intended as a possible alternative to Helmet.

If this is not the place, any suggestions? Thanks.

Hmm, apparently I must include at least three lines of code. Here’s how you would use it:

// declarative style let kepi = Kepi({   'X-Powered-By': 'super duper system',   'Content-Type': ['text/html', 'charset=utf-8']   'Feature-Policy': {     vibrate: "'none'",     geolocation: "'self'",   }, });  // can also be programmatic kepi.header('Expires').set(Date.now() + 60*60*1000);  // good for one hour  // assuming you use Express app.use(kepi.middleware()); 

Note, to mimic Hemlet you’d just go

app.use(kepi().safe().middleware());

Compared to Hemlet, its much smaller, IMO simpler, and also allows you to modify headers on the fly, and not just security headers. OTOH, I’m not a security expert and there may be bugs or flaws.

Github repo here

SoapUI – change source IP address

I have been scouring internet for the past few hours and I cannot seem to find answer to my question. Maybe it is not even possible to do what I would like to do.

I am testing a webservice from SOAPUI which is installed on a Virtual PC with multiple IPs. HTTP requests always go from the default IP (let’s name it DEFAULT_IP) but I would like to make SOAPUI to choose a different IP address to send the request from – let’s say it is called CUSTOM_IP. Why is that? We have a VPN connection to our client that goes from CUSTOM_IP to client. That’s why we need to send requests from CUSTOM_IP. Basically what I would like to achieve is to change source point address.

Is this even possible?