Wireguard over wstunnel

the kiril tuto is the same as the one i ve posted ,the issue for me now is to build the exe for arm v7 cpu.

i ve also found chisel https://github.com/jpillora/chisel

i think this should work and it has an exe for arm v7 arch.

any openwrt expert could help on how to set this up in openwrt with wireguard ?

@maurer @lleachii @psherman @trendy @hnyman @jow and others ...

Yes, might be but did you check repositories of openwrt if it has this packets?) I ve checked just now and it does not have this

"Setup" isn't the first step. You literally have to take the source code and "build" an Executable Binary File first.

See: https://openwrt.org/docs/guide-developer/toolchain/crosscompile

After you have successfully compiled the source code for your Arm processor - then you can copy it to the router and proceed to the instructions found at the Nerd-on-the-Street website.

This is a unique program that places the functionality found in web server modules like lighttpd-mod-wstunnel - into a single Binary Executable File.

I would say that since there is already access to the remote server, most likely ssh, to use that one to tunnel the traffic and make it simple by not using wireguard as well.

1 Like

alright this is wstunnel compiled for armhf (wrt3200) https://www.dropbox.com/s/ofg34ir3a0n1fa8/wstunnel?dl=1 but there's a catch - it doesn't work on plain openwrt but inside a lxc container (I tested it on debian10) see https://openwrt.org/lxc_openwrt_host
Ideally you should open a new thread if you want to go this route for the community to help you set up lxc
...
and another approach could be https://github.com/moparisthebest/wireguard-proxy - there are builds for openwrt (tested on omnia 21.02 - same cpu family as wrt3200) and x64 ofc
...
same here https://github.com/wangyu-/udp2raw
...
shadowsocks-libev is available as openwrt package alreadyas recommended Wireguard over wstunnel - #41 by Genova

1 Like

hi maurer
thank you for the compile, but i m not feeling courageous enough right now to try the lxc container.

i ve checked the wg-proxy and it looks like better at my level so i did install ithe appropriate exe on the both side .
and use these on ;(wg server is supposed to listen on 52000)
server :
./wireguard-proxy --tcp-host 0.0.0.0:53000 --udp-target 127.0.0.1:52000
client (openwrt)
./wireguard-proxy --tcp-target serverip:53000 --udp-host 127.0.0.1:52000

i have modified the endpoint on the openwrt wg setup (thru luci), and started the wg interface after typing the above commande on ssh
but i m loosing the connection , the wg is sending packets and nothing is received and the wg-proxy on the server side doesnt see anything,so i suppose there is something wrong

would that be possible for you to give details on the setup you have used on the omnia 21.02 or better give us a tutorial to setup this up?

thanks

sorry only tested that the binary is working - nothing set up
I might try the wg-on-ss though depending on my spare time...
...
alright @padima here's the wg-on-ss writeup of my experience:
I had some credits ($$$) with a (openstack) cloud provider so I used 2 instances (vps) in 2 different local networks:

  • ubuntu 20.04 ip 10.20.129.233
  • openwrt 22.03 ip 10.19.127.188
    (x86-64 but shouldn't matter as the config is the same for all architectures)

I won't go into details of the wireguard and/or ubuntu setup as it was done mostly following:
https://www.oilandfish.com/posts/wireguard-shadowsocks.html

As for openwrt setup:

 opkg install shadowsocks-libev-ss-local shadowsocks-libev-ss-redir shadowsocks-libev-ss-rules shadowsocks-libev-ss-tunnel luci-app-shadowsocks-libev

edit the shadowsocks config
vi /etc/config/shadowsocks-libev
with the following config:

config ss_tunnel
        option server 'sss0'
        option local_address '127.0.0.1'
        option local_port '1080'
        option tunnel_address '127.0.0.1:53933'
        option password 'xxMY-PASS-HERExx'
        option mode 'udp_only'
        option timeout '300'
        option disabled '0'

config server 'sss0'
        option server '10.20.129.233'
        option server_port '1433'
        option method 'chacha20-ietf-poly1305'
        option password 'xxMY-PASS-HERExx'

and ONLY wireguard network config vi /etc/config/shadowsocks-libev
and also add a static route to server (uubntu) ip

#ignore the rest
...
config wireguard_vpn 'wgserver'
        option public_key '***my-pub-here***'
        option preshared_key '***my-psk-here***'
        option endpoint_host '127.0.0.1' #localhost ss ip
        option endpoint_port '1080' #localhost ss port
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

# static route
config route 'route_to_wg_server'
        option interface 'wan'
        option target '10.20.129.233'
        option netmask '255.255.255.255'
        option gateway '10.19.127.129'

now restart the affected services:
/etc/init.d/shadowsocks-libev restart
and /etc/init.d/network restart

now you should be able to ping wg server ip from client and backwards.
some notes:
speedtest (iperf3) unencrypted traffic (remember the cloud server - Xeon CPUs)

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  11.3 GBytes  9.67 Gbits/sec  8374             sender
[  5]   0.00-10.04  sec  11.3 GBytes  9.64 Gbits/sec                  receiver

speedtest (iperf3) wg only encrypted traffic

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.11 GBytes  1.81 Gbits/sec  132             sender
[  5]   0.00-10.06  sec  2.10 GBytes  1.80 Gbits/sec                  receiver

and speedtest (iperf3) wg+ss encrypted traffic

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   148 MBytes   124 Mbits/sec  164             sender
[  5]   0.00-10.04  sec   146 MBytes   122 Mbits/sec                  receiver

so expect >> 10x bandwidth degradation with double encryption
...
managed to get wstunnel (x86-64) running and did some iperf3 speedtest:

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  94.0 MBytes  78.8 Mbits/sec  190             sender
[  5]   0.00-10.05  sec  91.6 MBytes  76.5 Mbits/sec                  receiver

so worst than wg-over-ss :slight_smile:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.