diff --git a/README.md b/README.md index f0aca11..dc221b8 100644 --- a/README.md +++ b/README.md @@ -228,8 +228,61 @@ wstunnel client --http-upgrade-path-prefix h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd Now your wstunnel server, will only accept connection if the client specify the correct path prefix during the upgrade request. ### Wireguard and wstunnel -https://kirill888.github.io/notes/wireguard-via-websocket/ +You have a working wireguard client configuration called `wg0.conf`. Let's say +``` +[Interface] +Address = 10.200.0.2/32, fd00:cafe::2/128 +PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= + +[Peer] +PublicKey = 9iicV7Stdl/U0RH1BNf3VvlVjaa4Eus6QPEfEz6cR0c= +AllowedIPs = 0.0.0.0/0, ::/0 +Endpoint = my.server.com:51820 +``` + +Start wstunnel server on my.server.com like this +``` +wstunnel server --restrict-to localhost:51820 wss://[::]:443 +``` + +on your local machine start the client like this +``` +wstunnel client -L 'udp://51280:localhost:51280?timeout_sec=0' wss://my.server.com:443 +``` + +change your wireguard client config to something +``` +[Interface] +Address = 10.200.0.2/32, fd00:cafe::2/128 +PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= +# Replace by a dns your server has access to +dns = 8.8.8.8 +# https://github.com/nitred/nr-wg-mtu-finder to find best mtu for you +MTU = 1400 + +[Peer] +PublicKey = 9iicV7Stdl/U0RH1BNf3VvlVjaa4Eus6QPEfEz6cR0c= +AllowedIPs = 0.0.0.0/0, ::/0 +# Should target port where wstunnel client is listenning to +Endpoint = localhost:51820 +# Should not be necessary if you enable wstunnel client websocket ping +PersistentKeepalive = 20 +``` + +Add a default route to your server, as your AllowedIps are catch-all, it is to avoid the traffic looping. +```bash +sudo ip route add ip.of.my.server.com dev eth0 via 192.168.0.1 +# replace eth0 (interface) and 192.168.0.1 (router gateway) by the one given by `ip route get ip.of.my.server.com` +``` + +start your wireguard, and it should be working +``` +sudo wg-quick up wg0 +ping 10.200.0.1 # ping another ip of your vpn network +``` + +FAQ - Disable default udp tunnel timeout that will auto-close it after 30sec. `i.e: udp://1212:127.0.0.1:5201?timeout_sec=0` - If you see some throughput issue, be sure to lower the MTU of your wireguard interface (you can do it via config file) to something like 1300 or you will endup fragmenting udp packet (due to overhead of other layer) which is always causing issues - If wstunnel cannot connect to server while wireguard is on, be sure you have added a static route via your main gateway for the ip of wstunnel server. diff --git a/src/main.rs b/src/main.rs index 532d0f5..f4cf556 100644 --- a/src/main.rs +++ b/src/main.rs @@ -71,7 +71,7 @@ struct Client { /// 'tcp://1212:google.com:443' => listen on server for incoming tcp cnx on port 1212 and forward to google.com on port 443 from local machine /// 'udp://1212:1.1.1.1:53' => listen on server for incoming udp on port 1212 and forward to cloudflare dns 1.1.1.1 on port 53 from local machine /// 'socks://[::1]:1212' => listen on server for incoming socks5 request on port 1212 and forward dynamically request from local machine - #[arg(short='R', long, value_name = "{tcp,udp}://[BIND:]PORT:HOST:PORT", value_parser = parse_tunnel_arg, verbatim_doc_comment)] + #[arg(short='R', long, value_name = "{tcp,udp,socks5}://[BIND:]PORT:HOST:PORT", value_parser = parse_tunnel_arg, verbatim_doc_comment)] remote_to_local: Vec, /// (linux only) Mark network packet with SO_MARK sockoption with the specified value.