Wireguard over wstunnel

hello there

i m trying to get my openwrt router connected to a wireguard server knowing that my isp is blocking the handshake .so i need to use wstunnel to hide the tunnel

can anyone help me apply this tutorial for openwrt:

i m blocked at the wstunnel for openwrt and it s configuration as client

Just to make sure your starting with the correct assumptions -- how do you know the ISP is blocking the handshake? Is this documented somewhere for your ISP?

In many cases (but obviously not all), the issue of broken handshakes boils down to two likely problems:

  1. incorrect key exchange and/or general wireguard configuration
  2. no public IP address (i.e. ISP provides a NAT/CG-NAT address).
1 Like

yes i m sure they are blocking the handshake ,my setup was just working before they started to do this

what troubleshooting have you done to confirm that it is blocked?

i m on this since more than 15 days , u ll have to trust me when i m saying they are blocking it here and we need a tunnel to hide it , i ve found that tutorial about wstunnel but there are several type of tunnels wichan can be used

1 Like

I bring this up because there are other reasons a tunnel can stop working.

1 Like

i can understand but my setup was working fine before and i need to use a tunnel to use again wireguard

If you want to tunnel, why not simply change the port on the "server" side to test?

Perhaps to a common UDP port.

This will also eliminate a possibility that they're blocking the IP.

There's nothing on that page.


1 Like

this is the link

And the question?

Since you may have to change this anyway, have you tried this first?

If it's being blocked, changing the port may solve that - same with using a [nested] tunnel on another port.

(Just a simple question - if you don't understand why you were being asked, maybe this test that you might have to perform anyway could fix it.)

  • Also, can you ping the endpoint?
  • Does either WAN IP begin with 100.x.x.x?

You mentioned no handshake, but can you see sent/received packets? (this is quite important)

they are using dpi to block vpn here. changing port port doesnt solve the problem
in the case of wireguard ,the first handshake never happened when the setup is normal ,meaning without any tunnel.

why u dont just try to find a way to apply the tutorial instead of asking side questions
believe me i have tried everything possible to get it online back again.
i had this setup since almost 2 years

Shouldn't you do that - I don't need a nested tunnel (and I would be setting one up to test for you - so I don't understand the rudeness)?

To answer you - when you sent the link - it was blank, I'd have to read it first (duh). Next, after that - I'm trying to understand how using a nested tunnel with the same encryption inside will defeat DPI. So they're not "side questions".

(I guess you don't understand and just think people don't believe you or something.)

That didn't answer me, it's a symptom of the DPI, or you don't understand the WG protocol.

  • There should be "nothing" to inspect - hence question about changing ports, which you'll need to setup with another tunnel - so again, not a "side question"
  • Then, using a tunnel may not solve that, hence the relevant inquires you call "side questions"
  • We need to know what port is usable - so not a side question
  • I assume you can ping, but again, need to know if the endpoint is reachable - not a side question

(I'm actually curious to see if I can setup a DPI to see WG - which I understood to be rather difficult, then try the nested tunnel to see if it works.)

After reading the tutorial - you simply follow all steps. It will setup a permanently connected WG connection to your far end device - as it disables routing and sends all traffic thru the websocket tunnel.

I don't think this will solve the DPI problem you have, though. Are you having a specific issue on a step?

In any case, just let us know if you're having an issue on any step - as the instructions are extremely straightforward?

i.e. What do you need help "applying" from the tutorial?

i dont want to be rude at all, just trying to explain you that without tunneling it wont work
proton vpn have introduced the tunneling on their wireguard because of that.
my openwrt is on client side ,i dont know how can i adapt the settings as there is an script to be used and the wstunnel (is it executable as it is in openwrt?)
is there any settings i should change for routing the traffic?

OK...that script is in the step that says:

Step 14: Download and install wstunnel

Thing is, there is a package on OpenWrt:

So I would suggest installing that and use the OpenWrt methods to configure from that step. I'll be honest, hopefully someone else is familiar with installing that - as this proceeds to install another web server (hence that port question I asked you about). I'm not familiar with resolving nuances with doing so, especially on a router that uses another web server for its GUI.

i m talking about this one:

i have installed that package but i don t know how to adapt the settings i ve read on the tutorial and how to use the script on this

I'm aware of what you're talking about. That's a configuration script. I'm not sure how you'd configure wstunnel before you install it, but OK...so I'm going to assume you have accomplished installation (and config?).

There's quite a few routing statements in the script. I assume you already have that setup, correct (as you noted the tunnel was setup for 2 years)?

So I'm really not sure why you're inquiring about that script. Are you familiar with the syntax contained inside; or are you asking about the entirety of the script?

If you're asking about the entirety of the script - would need to actually know what parts - or you could ask the person who made it.

You need to configure the proxy (recall the port test "side questions"). It seems that begins at Step 16.

EDIT: are you running an x86_64 version of OpenWrt and executing the wstunnel-x64-linux file; or did you install package I noted above?

1/the wstunnel on openwrt is not setup ,hence the post
2/i didnt install the script on openwrt as i dont know if it ll work for it

3/the setup of 2 years was for wireguard only not the wstunnel

4/see 2/

5/ i dont know how to translate the settings of the tutorial in the light.... package

my openwrt is on a arm cpu (linksys wrt3200 )

i have installed both the package as well as the arm exe

There is no wstunnel build for wrt3200 (armhf 32bits) only for arm64 (rpi3 or 4 example)

1 Like

OK...let's hold this (see below).

Correct, the wstunnel is setup between the two proxy connection that will carry the Wireguard UDP traffic, your routes remain the same - hence my question.

Again, see my response to 2 and 3.

Ummm, you cannot execute a binary on the wrong CPU...anyways, I don't think the OpenWrt package will work. This wstunnel from github is a program.

OK, Step 1, are you able to execute the ARM file?

Nope - no such luck.

You'll need to configure the lighttpd-mod-wstunnel.

@frollic @trendy @hnyman @jow - any ideas (e.g. how do you add mod-wstunnel configs to lighttpd's config?