Wireguard over wstunnel

psherman · November 12, 2022, 8:15pm

I've been thinking about this, too.

@padima - do you control both sides of the tunnel? By this, I mean do you actually have administrative abilities on the far end of your VPN solution (this would be the case if you host your own VPN at a home/business/etc, or if you run a VPS that you personally administer)?

If you do not control both sides, will not be able to run wstunnel unless the remote end administrators are willing to offer you help and the necessary configuration parameters. If they don't provide wstunnel for your use, this represents a 100% dead end. Just like the requirement for a VPN to have 2 endpoints, you must have 2 endpoints for other tunnels like wstunnel.

padima · November 12, 2022, 8:30pm

"kernel": "5.10.146",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.1",
"revision": "r19777-2853b6d652",
"target": "mvebu/cortexa9",
"description": "OpenWrt 22.03.1 r19777-2853b6d652"

well i m renting the vps and can access it remotely and the linksys is in front me so i think i can answer by yes to both of your question @psherman

psherman · November 12, 2022, 8:36pm

That's good. Have you already configured the VPS side?

padima · November 12, 2022, 8:43pm

psherman · November 12, 2022, 8:48pm

Cool... so I'd recommend that you start with an x86 system on your local side to verify that the wstunnel configuration and wireguard will connect properly -- prove out your configuration before you go any further.

I say this because it appears that you'll have to compile the wstunnel yourself for it to run on OpenWrt on an Armv7 mvebu/corexa9 system... so you should do this entirely outside the context of OpenWrt first so that you're not chasing your tail. Then, once you know it works, you can compile the code for your target and then figure out any issues on the OpenWrt side of the equation.

padima · November 12, 2022, 9:02pm

thats seems a bit complicated for me
do you know any tools wich could the same job (websocket) and could replace wstunnel?

psherman · November 12, 2022, 9:06pm

I’ve successfully used stunnel and shadowsocks to encapsulate OpenVPN, but I’ve never tried pushing a wg tunnel through this.

Genova · November 13, 2022, 4:17pm

Hey Padima! Did you solve the problem with wstunnel? I have the same problem, WG is blocked in my country

padima · November 13, 2022, 5:23pm

hi i m in the same case as you can see above , i have issues with software compatibility with my hardware so i m stuck for now ,trying to find another way out

maurer · November 13, 2022, 5:42pm

So you haven't tried running lightpd-mod-wstunnel?

padima · November 13, 2022, 6:26pm

hi maurer
not yet as i don t know what to do with the script in the tutorial?

Genova · November 13, 2022, 7:33pm

Try this it could help - https://www.oilandfish.com/posts/wireguard-shadowsocks.html

and this - https://kirill888.github.io/notes/wireguard-via-websocket/ but first read this comment - https://github.com/Kirill888/notes/issues/3

and this too - https://encomhat.com/2021/07/obfuscate-wireguard/

padima · November 13, 2022, 7:43pm

the kiril tuto is the same as the one i ve posted ,the issue for me now is to build the exe for arm v7 cpu.

i ve also found chisel https://github.com/jpillora/chisel

i think this should work and it has an exe for arm v7 arch.

any openwrt expert could help on how to set this up in openwrt with wireguard ?

@maurer @lleachii @psherman @trendy @hnyman @jow and others ...

Genova · November 13, 2022, 7:46pm

Yes, might be but did you check repositories of openwrt if it has this packets?) I ve checked just now and it does not have this

lleachii · November 14, 2022, 4:30am

"Setup" isn't the first step. You literally have to take the source code and "build" an Executable Binary File first.

See: https://openwrt.org/docs/guide-developer/toolchain/crosscompile

After you have successfully compiled the source code for your Arm processor - then you can copy it to the router and proceed to the instructions found at the Nerd-on-the-Street website.

This is a unique program that places the functionality found in web server modules like lighttpd-mod-wstunnel - into a single Binary Executable File.

trendy · November 14, 2022, 8:39am

I would say that since there is already access to the remote server, most likely ssh, to use that one to tunnel the traffic and make it simple by not using wireguard as well.

maurer · November 14, 2022, 1:24pm

alright this is wstunnel compiled for armhf (wrt3200) https://www.dropbox.com/s/ofg34ir3a0n1fa8/wstunnel?dl=1 but there's a catch - it doesn't work on plain openwrt but inside a lxc container (I tested it on debian10) see https://openwrt.org/lxc_openwrt_host
Ideally you should open a new thread if you want to go this route for the community to help you set up lxc
...
and another approach could be https://github.com/moparisthebest/wireguard-proxy - there are builds for openwrt (tested on omnia 21.02 - same cpu family as wrt3200) and x64 ofc
...
same here https://github.com/wangyu-/udp2raw
...
shadowsocks-libev is available as openwrt package alreadyas recommended Wireguard over wstunnel - #41 by Genova

padima · November 14, 2022, 9:50pm

hi maurer
thank you for the compile, but i m not feeling courageous enough right now to try the lxc container.

i ve checked the wg-proxy and it looks like better at my level so i did install ithe appropriate exe on the both side .
and use these on ;(wg server is supposed to listen on 52000)
server :
./wireguard-proxy --tcp-host 0.0.0.0:53000 --udp-target 127.0.0.1:52000
client (openwrt)
./wireguard-proxy --tcp-target serverip:53000 --udp-host 127.0.0.1:52000

i have modified the endpoint on the openwrt wg setup (thru luci), and started the wg interface after typing the above commande on ssh
but i m loosing the connection , the wg is sending packets and nothing is received and the wg-proxy on the server side doesnt see anything,so i suppose there is something wrong

would that be possible for you to give details on the setup you have used on the omnia 21.02 or better give us a tutorial to setup this up?

thanks

maurer · November 15, 2022, 6:29am

sorry only tested that the binary is working - nothing set up
I might try the wg-on-ss though depending on my spare time...
...
alright @padima here's the wg-on-ss writeup of my experience:
I had some credits ($$$) with a (openstack) cloud provider so I used 2 instances (vps) in 2 different local networks:

ubuntu 20.04 ip 10.20.129.233
openwrt 22.03 ip 10.19.127.188
(x86-64 but shouldn't matter as the config is the same for all architectures)

I won't go into details of the wireguard and/or ubuntu setup as it was done mostly following:
https://www.oilandfish.com/posts/wireguard-shadowsocks.html

As for openwrt setup:

 opkg install shadowsocks-libev-ss-local shadowsocks-libev-ss-redir shadowsocks-libev-ss-rules shadowsocks-libev-ss-tunnel luci-app-shadowsocks-libev

edit the shadowsocks config
vi /etc/config/shadowsocks-libev
with the following config:

config ss_tunnel
        option server 'sss0'
        option local_address '127.0.0.1'
        option local_port '1080'
        option tunnel_address '127.0.0.1:53933'
        option password 'xxMY-PASS-HERExx'
        option mode 'udp_only'
        option timeout '300'
        option disabled '0'

config server 'sss0'
        option server '10.20.129.233'
        option server_port '1433'
        option method 'chacha20-ietf-poly1305'
        option password 'xxMY-PASS-HERExx'

and ONLY wireguard network config vi /etc/config/shadowsocks-libev
and also add a static route to server (uubntu) ip

#ignore the rest
...
config wireguard_vpn 'wgserver'
        option public_key '***my-pub-here***'
        option preshared_key '***my-psk-here***'
        option endpoint_host '127.0.0.1' #localhost ss ip
        option endpoint_port '1080' #localhost ss port
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

# static route
config route 'route_to_wg_server'
        option interface 'wan'
        option target '10.20.129.233'
        option netmask '255.255.255.255'
        option gateway '10.19.127.129'

now restart the affected services:
/etc/init.d/shadowsocks-libev restart
and /etc/init.d/network restart

now you should be able to ping wg server ip from client and backwards.
some notes:
speedtest (iperf3) unencrypted traffic (remember the cloud server - Xeon CPUs)

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  11.3 GBytes  9.67 Gbits/sec  8374             sender
[  5]   0.00-10.04  sec  11.3 GBytes  9.64 Gbits/sec                  receiver

speedtest (iperf3) wg only encrypted traffic

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.11 GBytes  1.81 Gbits/sec  132             sender
[  5]   0.00-10.06  sec  2.10 GBytes  1.80 Gbits/sec                  receiver

and speedtest (iperf3) wg+ss encrypted traffic

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   148 MBytes   124 Mbits/sec  164             sender
[  5]   0.00-10.04  sec   146 MBytes   122 Mbits/sec                  receiver

so expect >> 10x bandwidth degradation with double encryption
...
managed to get wstunnel (x86-64) running and did some iperf3 speedtest:

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  94.0 MBytes  78.8 Mbits/sec  190             sender
[  5]   0.00-10.05  sec  91.6 MBytes  76.5 Mbits/sec                  receiver

so worst than wg-over-ss

system · September 11, 2023, 6:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.