• Stars
    star
    159
  • Rank 235,916 (Top 5 %)
  • Language
    Shell
  • Created over 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenVPN and WireGuard server on GitHub Actions: representative NAT traversal case

OpenVPN and WireGuard server on GitHub Actions: representative NAT traversal case

It's not possible to run server software on GitHub Actions using regular methods: the worker virtual machine is placed behind Network Address Translation (NAT), which prevents it from receiving direct inbound TCP/UDP connections.
This repository consists of GitHub Actions jobs for OpenVPN and WireGuard VPN servers which traverse NAT, making possible to establish VPN connection to the Actions worker machine directly, without any additional tunnel, third-party service, or port forwarding software.

This is a step-by-step, thoroughly documented practical UDP NAT traversal showcase using GitHub Actions with OpenVPN/WireGuard servers as an example, with only stock software from Ubuntu repositories.

NAT used on GitHub Actions is one of the most common ones: it's not the friendliest and not the ugliest.

Independent Mapping, Port Dependent Filter, random port, will hairpin

Once you learn the traversal principle used in this repository, you'll understand the general idea behind any modern NAT traversal implementation.

How to use

It is assumed that you run Linux.

  1. Fork this repository and clone your fork
  2. Place your SSH public key into authorized_keys file, git commit it
  3. Make sure you have stun-client by hanpfei installed (apt install stun-client on Debian/Ubuntu, dnf install stun on Fedora), as well as openvpn and/or wireguard
  4. Run ./run.sh openvpn for OpenVPN server or ./run.sh wireguard for WireGuard server
  5. Navigate to Actions tab of your repository, open corresponding job and check either Print OpenVPN connection string or Print WireGuard configuration file for VPN connection instructions
  6. Connect to the VPN using the instructions from the Action
  7. After connecting to the VPN, run ssh [email protected] to connect to your Actions worker

NOTE: your IP address will be visible in the commit history for everyone. Set the repository as private if you find this inappropriate for your threat model.

How does it work

The Action jobs (openvpn, wireguard) in this repository:

  • Wait for a specific commit message with IP address and port of the client
  • Set up OpenVPN UDP/WireGuard server behind Actions worker NAT
  • Determine external IP address and NAT port mapping for VPN port using STUN client
  • Punch NAT with empty UDP packet every 28 seconds towards client's IP address and port from the VPN server port using nping until the client is connected

The client-side run.sh script:

  • Checks for NAT type on the client
  • Determines mapped external source port using STUN
  • git commits & pushes client's external IP address and mapped port discovered with STUN, as well as local source port to include it in configuration files and one-liners generated by the Actions job
  • Keeps NAT mapping alive for non-port-preserving NATs

Questions and answers

‣ Does it work?

Yes, it bypasses NAT for UDP traffic of GitHub Actions worker running on Microsoft Azure infrastructure behind NAT of the following type:

Independent Mapping, Port Dependent Filter, random port, will hairpin

You will be able to connect to WireGuard/OpenVPN server running on your Actions worker directly, which is not possible otherwise.

‣ But can I connect to it behind another NAT, from the client side?

Yes, you can connect to it if you're behind the most common NAT with "Independent Mapping" characteristics, either port-preserving or non-port-preserving (random port).

run.sh script will do everything for you, including NAT type identification.

‣ Independent mapping? Port preserving? I know only Cone and Symmetric NAT!

The cone/port-restricted/symmetric NAT nomenclature is a bit outdated and does not describe all the NAT types found on the real Internet precisely.
Actions worker is placed after port-restricted NAT (which also does not preserve the source port).

For NAT type identification, refer to RFC4787 and RFC5128

‣ Where can I get more information?

The Actions workflow files (jobs) has detailed comments for each step, read it for openvpn and wireguard

General NAT traversal information:

Even more detailed writeup, covering all NAT aspects, will follow later.

More Repositories

1

GoodbyeDPI

GoodbyeDPI — Deep Packet Inspection circumvention utility (for Windows)
C
9,201
star
2

blockcheck

Russian ISP blocking type checker NOTE: NOT WORKING CURRENTLY. ВНИМАНИЕ: НЕ РАБОТАЕТ НА ТЕКУЩИЙ МОМЕНТ
Python
1,315
star
3

Super-UEFIinSecureBoot-Disk

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
602
star
4

windows2usb

Windows 7/8/8.1/10/11 ISO to Flash Drive burning utility for Linux (MBR/GPT, BIOS/UEFI, FAT32/NTFS)
Shell
585
star
5

tor-relay-scanner

Tor Relay availability checker, for using it as a bridge in countries with censorship
Python
215
star
6

p0f-mtu

p0f with patches to save MTU value and export it via API (for VPN detection)
C
213
star
7

aceproxy

Ace Stream HTTP Proxy. ABANDONED! NO SUPPORT WHATSOEVER!
Python
194
star
8

openvpn-fix-dns-leak-plugin

OpenVPN plugin to fix Windows DNS Leaks
C
161
star
9

skype-poll-fix

Reduce Skype CPU load on Linux and Mac OS
C
136
star
10

billgates-botnet-tracker

Some tools to monitor BillGates CnC servers
Python
134
star
11

p0f-mtu-script

WITCH?(VPN detector) source code
PHP
108
star
12

huawei_oled_hijack

Advanced on-screen menu for Huawei E5372, E5577, E5377, E5770, E5885 (and probably others) portable LTE routers
C
93
star
13

endless-sosuch

Endless WebM player from 2ch.hk
Python
65
star
14

thinkpad-shahash

Script to recompute SHA1 hashes for Lenovo ThinkPad Sandy Bridge laptops to get rid of 5 beeps on boot
Python
57
star
15

distvidc

Distributed video encoding
Python
49
star
16

openvpn-radiusplugin

Radiusplugin with various patches and fixes
C
36
star
17

binary_bios_measurements_parser

Linux TPM Trusted Boot binary_bios_measurements file parser/reconstructor
Python
21
star
18

openvpn-block-incoming-udp-plugin

OpenVPN plugin to prevent IP leak via UDP requests
C
20
star
19

sophos-deobfuscation-tool

Sophos Deobfuscation Tool. Deobfuscates passwords obfuscated with Sophos Obfuscation Tool.
C
14
star
20

openvpn-tunpipe

OpenVPN with ocproxy/tunsocks VPN-to-proxy ("socks2tun") support Proof-of-concept
C
13
star
21

terestun

TereStun — STUN over Teredo
Python
11
star
22

tb-tun

TB-TUN is an tiny userspace program to build 6to4/tunnelbroker/ISATAP tunnel for Linux
10
star
23

responder-brute

Brute NTLM hashes captured by Responder with hashcat or john
Python
7
star
24

tor-onionoo-mirror

Tor metrics/onionoo mirror
5
star
25

cisco-unified-cm-decryptor

Decrypts encrypted passwords stored in Cisco Unified Communication Manager backup
Python
3
star
26

inetcom-parser

Get array of TV channels with or without SID for inetcom.tv
PHP
2
star
27

fakku-dl

Fakku.net manga and doujinshi downloader
Shell
1
star