Wireguard over wstunnel

Official docs not that helpful https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModWSTunnel

i have copied the arm64 on the openwrt but no set up yet so i dont know if it ll work on it or not

yes i have seen that doc and didn t undertand anything about to set this up

Please see:

(BTW, you can make one post to answer two.)
Yes it is.

server.document-root = "/tmp" 
server.modules += ( "mod_wstunnel" )
$HTTP["url"] =~ "^/websockify" {
    wstunnel.server = ( "" => ( ( "host" => "", "port" => "xxxxx" ) ) )
    wstunnel.frame-type = "binary" 
    server.stream-request-body  = 2
    server.stream-response-body = 2

xxxxx == wireguard_port

I think this should work if I understood the documentation.

But at this point, I would now inquire in a community someone who has setup lighttpd-mod-wstunnel for Wireguard on Proton VPN - or:

If they introduced it, they don't offer you a sample lighttpd config?

i m not using proton vpn server but have set it up with my own server.

i have requested help from proton but no answer yet

shoud i execute the script still on openwrt ?

i ll configure as your suggestion for the wstunnel conf file

So you already setup wstunnel on the other side?

Can you show that config, please?


I think you're saying that you asked Proton - even thought you're not their customer. Cool.

1/ the config is the one on the tutorial so the wstunnel is active on my ubuntu server at the time of the writing
2/they said they are open source and they have set the wireguard over tcp then the ws tunnel and they have posted about that somewhere on reddit so i have requested help from the poster

1 Like

Let's start from the basics. What is the output of:

ubus call system board

I've been thinking about this, too.

@padima - do you control both sides of the tunnel? By this, I mean do you actually have administrative abilities on the far end of your VPN solution (this would be the case if you host your own VPN at a home/business/etc, or if you run a VPS that you personally administer)?

If you do not control both sides, will not be able to run wstunnel unless the remote end administrators are willing to offer you help and the necessary configuration parameters. If they don't provide wstunnel for your use, this represents a 100% dead end. Just like the requirement for a VPN to have 2 endpoints, you must have 2 endpoints for other tunnels like wstunnel.

"kernel": "5.10.146",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.1",
"revision": "r19777-2853b6d652",
"target": "mvebu/cortexa9",
"description": "OpenWrt 22.03.1 r19777-2853b6d652"

well i m renting the vps and can access it remotely and the linksys is in front me so i think i can answer by yes to both of your question @psherman

That's good. Have you already configured the VPS side?

Cool... so I'd recommend that you start with an x86 system on your local side to verify that the wstunnel configuration and wireguard will connect properly -- prove out your configuration before you go any further.

I say this because it appears that you'll have to compile the wstunnel yourself for it to run on OpenWrt on an Armv7 mvebu/corexa9 system... so you should do this entirely outside the context of OpenWrt first so that you're not chasing your tail. Then, once you know it works, you can compile the code for your target and then figure out any issues on the OpenWrt side of the equation.

1 Like

thats seems a bit complicated for me
do you know any tools wich could the same job (websocket) and could replace wstunnel?

I’ve successfully used stunnel and shadowsocks to encapsulate OpenVPN, but I’ve never tried pushing a wg tunnel through this.

1 Like

Hey Padima! Did you solve the problem with wstunnel? I have the same problem, WG is blocked in my country

hi i m in the same case as you can see above , i have issues with software compatibility with my hardware so i m stuck for now ,trying to find another way out

1 Like

So you haven't tried running lightpd-mod-wstunnel?

hi maurer
not yet as i don t know what to do with the script in the tutorial?

Try this it could help - https://www.oilandfish.com/posts/wireguard-shadowsocks.html

and this - https://kirill888.github.io/notes/wireguard-via-websocket/ but first read this comment - https://github.com/Kirill888/notes/issues/3

and this too - https://encomhat.com/2021/07/obfuscate-wireguard/