Wireguard over TCP

I was wondering if anyone has been able to get anything like udptunnel or Maybe stunner to get wireguard to work over tcp. I have installed STUNNEL on my pfsense router in the attempt to set up a vpn server running wireguard on TCP.

Any insight for this project would be greatly appreciated

Thank in advance

Wireguard, as a transport, is UDP only. There is no option to use TCP.

It would theoretically be possible to encapsulate it into a TCP stream by running a TCP tunnel (such as Stunnel or OpenVPN, among others) -- you would do this by first establishing a tunnel with one of the other techniques, then establishing the WG tunnel within that. It would be tricky to do on a single device, but you could prove that it works (for whatever that is worth) by simply starting a TCP tunnel with your VPN technique of choice on OpenWrt and then using your end device (computer, phone, etc.) to run a WG tunnel that gets pushed through the tunnel that OpenWrt has established with some remote endpoint.

But, why? You would negate the vast majority of the benefits of the protocol in the process. In addition, there are many reasons why it is considered to be bad practice to run TCP inside of another TCP stream, and here you could theoretically have TCP running over Wireguard (UDP) that then gets encapsulated by another layer as TCP... this could produce all sorts of problems if the connection is not rock solid.

What is your goal? Why do you need TCP and why do you want to put WG through a TCP tunnel?

To Baffle them with my ignorance.

Router WG default Wan < Computer running OpenVPN TCP :white_check_mark:
Router WG Default Wan < Computer running WireGuard UDP :white_check_mark:
Router WG Default Wan < Computer running OpenVPN TCP and WireGuard UDP :no_entry_sign:

@psherman because I’ve achieved the what I actually want with WireGuard alone:

WireGuard server + clients that can all communicate in a site-to-site fashion through the server. But in SOME cases! I’m in a situation where the networks ahead of me are blocking all udp traffic out. It’s not exactly to baffle anyone with ignorance like @Bill suggested.
I’ve tried doing this with OpenVPN alone but I have had no luck: if I could achieve this with OpenVPN alone I would I’ve been trying for Months!!!

It did work when I last tried it YEARS ago...

Really? That could break quite a lot of things.. there are lots of things that are based on UDP transport beyond just VPNs.

OpenVPN can obviously run in TCP or UDP modes... but once you're going with another VPN layer, there is no reason to stuff WG into the tunnel.

If you're having trouble with OpenVPN (TCP and/or UDP) and or Wireguard, it's probably worth troubleshooting that and finding the root cause of your issues (which may or may not be related to your issues with WG).

Here is a good video that explains why running a VPN via TCP is not recommended. Obviously in some cases it is required if UDP traffic is really blocked, but you'll find that if you try to stuff WG inside another TCP transport, you'll likely experience throughput issues.

Ponder this Git.

Stable - restarts on disconnect
Few dependencies - just bash and socat

sure, see Wireguard and udptunnel ? Any expirience on WG over TCP/443? - #4 by AndrewZ

Many network operators dislike UDP because it is prone to more abuse than TCP lacking the latter's 3-phase handshake to establish a connection. And hence network can/will block or rate-limit UDP often. That is likely to change with UDP-based QUIC becoming more prominent.

1 Like

The attachment to WG for this goal is not a "must". I was just so happy at how this method has been working for me. My Pfsense box action as just like a relay sever so my sites could communicate (network to network). All my connections are really reliable and always up. This idea to be able to do this is primarily for these few situations im in where I can get my client network out on anything other then 443. So if there is a way to do this without WG and only VPN I still see that as a win. The object after the tunnel is work is just to manage some old Cisco 2960 switches that are running ip cameras, and perhaps change a few settings within specific cameras once and a wild. Heavy lifting won't be happening. This is just for troubleshooting and maintenance.

In this post I am diving into just doing it with Openvpn and explain the issues im having. I just don't understand the ovpn files and don't know where to go with what im getting in the logs.

Thank you everyone!!