Recently, I ran into a scenario where I wanted to verify if geo-blocking on a specific UDP port was actually working. The UDP port is set up to only allow connections from the United States. The service running is WireGuard.
- The following tools will be needed to perform this:
- Some sort of Linux distro (I used Kali Linux on a bare metal system; you might be able to do it using a virtual machine).
- OpenVPN client and config file
- OpenVPN server located outside of the United States
- Docker installed and working properly
- A firewall that supports geo-blocking with appropriate rules set up
- WireGuard service behind the mentioned firewall
- WireGuard client config
The WireGuard container I used for testing is the following: https://github.com/jordanpotter/docker-wireguard
First, we will connect to the OpenVPN server that is outside of the United States (we want to make sure this VPN connection is a full tunnel):
openvpn --config Outside.ovpn
- You can then verify your connection using:
curl ifconfig.me
- We will now run the following command to attempt to connect to the WireGuard service from outside of the United States:
docker run --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v /root/OutsideCountry.conf:/etc/wireguard/wg0.conf jordanpotter/wireguard
- Next we will spin up a container that will use the docker container named ‘wireguard’ for networking:
docker run --rm --net=container:wireguard -ti alpine /bin/ash
- Inside of this container you can attempt to see if you have network connectivity to the geo-blocked wireguard service, in my case it proved that geo-blocking was working.
- To verify if nested VPN connections even work in this scenario, I have an OpenVpn server that is located in the United States. Once I connected to this server, the container was able to connect to the geo-blocked wireguard service.