• Stars
    star
    170
  • Rank 223,357 (Top 5 %)
  • Language
    Shell
  • License
    MIT License
  • Created over 5 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Resources to tunnel Wireguard over Websockets

Wireguard-over-Websockets Config

This project explains the steps to enable a Wireguard VPN connection to be tunnelled over a Secure Websockets (WSS) connection for use cases where outbound VPN traffic may be blocked/filtered/monitored.

The following steps assume that there is already a Wireguard connection established that is to be mondified for tunelling over WSS.

Server Configuration

No modifications need to be made to the Wireguard server configuration itself, but wstunnel needs to be installed and configured as a systemd unit.

  1. Download the latest wstunnel release
  2. Copy the binary to /usr/local/bin/wstunnel
  3. Allow the binary to listen on privileged ports:
$ sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/wstunnel
  1. Create the following service file at /etc/systemd/system/wstunnel.service:
[Unit]
Description=Tunnel WG UDP over websocket
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/wstunnel -v --server wss://0.0.0.0:443 --restrictTo=127.0.0.1:51820
Restart=no

[Install]
WantedBy=multi-user.target
  1. Start and enable the service:
$ sudo systemctl enable wstunnel
$ sudo systemctl start wstunnel

If relying solely on the software firewall installed on the droplet, ensure that inbound traffic to port 443 is permitted. If relying upon DigitalOcean cloud firewall, see later steps for dynamically allowing traffic through during connection establishment using the DigitalOcean API.

Client Configuration

Ensure dependencies are installed (debian-based example):

apt update && apt install -y curl jq
  1. Download the latest wstunnel release
  2. Copy the binary to /usr/local/bin/wstunnel
  3. Copy existing config to /etc/wireguard/wss.conf
  4. If using the DigitalOcean firewall script, install do-firewall.sh to /etc/wireguard/do-firewall.sh and modify to include a valid DigitalOcean API key. (script)
  5. Install wstunnel.sh to /etc/wireguard/wstunnel.sh (script)
  6. Create a connection specific config file at /etc/wireguard/wss.wstunnel (example):
REMOTE_HOST=some.server.com
REMOTE_PORT=51820
UPDATE_HOSTS='/etc/hosts'

# Change if using nginx with custom prefix for added security
# WS_PREFIX='E7m5vGDqryd55MMP'

# Change if running WSS on a non-standard port, i.e. 4443
# WSS_PORT=443

# Can change local port of the wstunnel, don't forget to change Peer.Endpoint
# LOCAL_PORT=${REMOTE_PORT}

# If using dnsmasq can supply other file than /etc/hosts
# UPDATE_HOSTS='/usr/local/etc/dnsmasq.d/hosts/tunnels'

# Will send -HUP to dnsmasq to reload hosts
# USING_DNSMASQ=1

Next we will modify the client confg to configure routing and point at the correct endpoint for our websockets tunnel. (Or cheat, and look at the example config)

  1. Ensure the Endpoint directive is pointing at 127.0.0.1:51820
  2. Add the following lines to the [Interface] section:
Table = off
PreUp = source /etc/wireguard/wstunnel.sh && pre_up %i
PostUp = source /etc/wireguard/wstunnel.sh && post_up %i
PostDown = source /etc/wireguard/wstunnel.sh && post_down %i

Note:: Additional config required to include the DigitalOcean firewall script. Example

Finish

The tunnelling should now be configured - ensure the server is running and wstunnel is started on the server and initiate a connection - you should then be able to see the tunnel established by running wg.

Ensure that all files under /etc/wireguard are owned by root:

$ chown -R root: /etc/wireguard
$ chmod 600 /etc/wireguard/*
$ chmod 700 /etc/wireguard/do-firewall.sh

Notes on DigitalOcean Firewall Script

The script is relatively naive, and assumes that only 1 firewall is associcated with the DigitalOcean account.

The do-firewall.sh script provides 3 commands:

  1. ./do-firewall.sh info - display firewall information
  2. ./do-firewall.sh allow - allow inbound 443/tcp traffic
  3. ./do-firewall.sh deny - deny inbound 443/tcp traffic (optionally specify wait to disable after 60s - e.g. ./do-firewall.sh deny wait)

More Repositories

1

nixos-config

jnsgruk's nix flake ❄️
Nix
144
star
2

flypi

A collection of tools for tracking planes/helicopters/UFOs/whatever with ADS-B. Packaged for NixOS with packages and modules
Nix
19
star
3

hello-kubecon

A Charmed Operator demonstration for Operator Day 2021, hosted by Canonical
Python
15
star
4

firecracker-ubuntu

πŸš€ Use Firecracker and helpings of bash to boot Ubuntu virtual machines very fast πŸ”₯
Shell
13
star
5

infra

Personal infrastructure
HCL
12
star
6

libations

A cocktail recipe store for consumption on your mobile device of choice!
HTML
9
star
7

nextcloud-docker-compose

Deploy Nextcloud, Collabora and Traefik with Docker-Compose
PHP
8
star
8

zinc-k8s-operator

Charmed Operator for Zinc: a search engine that does full-text indexing. Zinc is a lightweight alternative to elasticsearch.
Python
8
star
9

crafts-flake

Nix flake for ⭐craft applications and libraries.
Nix
8
star
10

jnsgr.uk

My personal webpage and blog
CSS
6
star
11

wayland-mapper

A simple NodeJS tool to map mouse buttons and touchpad gestures to keyboard combinations under Wayland.
JavaScript
5
star
12

dotfiles

Dotfiles and associated automation
Shell
5
star
13

architect

Simple Arch Linux bootstrap project
Shell
5
star
14

multipass-flake

A Nix flake for Canonical's Multipass
Nix
4
star
15

juju-api

Early design work for a next-generation RESTful Juju client API.
Python
3
star
16

releasegen

Generates a JSON report about Github and Launchpad releases for specified teams
Go
3
star
17

ghstat

A helper for gathering metrics from Greenhouse for Canonical Hiring Leads
Go
3
star
18

traefik-rock

A demonstration of building Traefik using rockcraft
2
star
19

trivy-cvss-tools

Python tools to enable augmentation of JSON formatted Trivy reports with CVSS data
Python
2
star
20

gosherve

A simple HTTP file server with some basic URL shortening/redirect functionality
Go
2
star
21

kismet-kml

Parser for latest development version of Kismet that outputs JSON and KML files
Python
1
star
22

parca-agent-snap

Unofficial snap for the Parca Agent
Shell
1
star
23

releases

See all releases and the status of repos for charm engineering at Canonical
HTML
1
star
24

offline-k3s-demo

Demo repo to illustrate offline deployment of Rancher K3s using Terraform and Ansible
Shell
1
star
25

parca-snap

Unoffical snap for Parca, a continuous profiling tool.
Shell
1
star
26

seldon-core-operator-rock

Example ROCK for Seldon Core Operator
1
star
27

sf-pro-fonts

San Francisco Pro fonts + ligaturized edition
1
star