wireguard over TCP

README.md

To pass wireguard's traffic through a TCP tunnel by using udp2raw

Requirements

For Arch linux, install udp2raw by pacman: pacman -S udp2raw

For Debian or Ubuntu, you can use a binary release from: https://github.com/wangyu-/udp2raw/releases

Then, install it under /sbin directory. For example, on a x86_64 system:

wget https://github.com/wangyu-/udp2raw/releases/download/20200818.0/udp2raw_binaries.tar.gz
tar xzvf udp2raw_binaries.tar.gz
sudo mv udp2raw_amd64 /sbin

Instruction:

• Replace private and public keys in configuration files
• Replace password in udp2raw command in both server's and client's configuration file
• Change YOUR-SERVER-IP in client's config file (in udp2raw command) to your server IP address
• On both server and client, copy corresponding config file to /etc/wireguard/wg0
• Start wireguard on both server and client: sudo systemctl start wg-quick@wg0
• Check connectivity by performing a ping command from client: ping 10.8.0.1

Notes:

• Please note that based on the configuration provided, by udp2raw command, port 4096 of your server will be exposed to the world. Of course, you can change it to another port number.
• If it doesn't work, remove PreUp and Postdown lines from both configs and run udp2raw commands in command-line with a --log-level option to see if TCP tunnel can be successfully established.

client-wg0

# Client configuration

[Interface]
PrivateKey = YOUR-CLIENT-PRIVATE-KEY
Address = 10.8.0.2/32
MTU = 1200
PreUp = udp2raw -c -l 127.0.0.1:51820 -r YOUR-SERVER-IP:4096 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"

[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.0/24
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 20

server-wg0

# Server configuration

[Interface]
Address = 10.8.0.1/24
MTU = 1200
ListenPort = 51820
PrivateKey = YOUR-SERVER-PRIVATE-KEY
PreUp = sudo udp2raw -s -l 0.0.0.0:4096 -r 127.0.0.1:51820 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"

# Add your peers here
[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.2/32

NOTE: this will not work with AllowedIPs = 0.0.0.0/0 for example, as the udp2raw tunnel would break.

a potential workaround is to use something like https://www.lautenbacher.io/en/lamp-en/wireguard-exclude-a-single-ip-address/ to generate a list which excludes your udp2raw server IP.

another possibility is setting up an explicit route for the server IP as described in https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/#point-to-internet

@lexavey I had the same problem. WireGuard seems to be connected, but there is this log prompt all the time. I don’t know what happened. Have you solved this problem?

NOTE: this will not work with AllowedIPs = 0.0.0.0/0 for example, as the udp2raw tunnel would break.

another possibility is setting up an explicit route for the server IP as described in https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/#point-to-internet

Yes. If you need 0.0.0.0/0. Just added a explicit rout for the server IP at client side:

ip route add ${YOUR_SERVER_IP} via  ${YOUR_GATEWAY}

Can you help me , both client and server udp2raw log :

[2023-11-13 07:02:43][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!

In 80% case, it means your -k/--key or --cipher-mode --auth-mode doesn't match on client and server side. In this case, it's an easy fix.

In 5% case, it means your internet connection doesn't allow the packet constructed by raw socket to passthrough transparently (It might be because of your client's ISP or virtual machine's network adapter mode; or something related to your server's network infrastructure). In this case, you can barely do anything other than changing the ISP or server provider.

I had to add masquerade iptable rules to forward the internet from the server to the client. I could ping the server, and even check the connection by launching an http server on the endpoint, but I couldn't access its outside connection

Here's how I did it:

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

see: https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/

I had to add masquerade iptable rules to forward the internet from the server to the client. I could ping the server, and even check the connection by launching an http server on the endpoint, but I couldn't access its outside connection

Here's how I did it:

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

see: https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/

Very well write up, thanks for sharing!

Forgot to say, there's a typo in sudo systemclt start wg-quick@wg0 it should be systemctl

Forgot to say, there's a typo in sudo systemclt start wg-quick@wg0 it should be systemctl

Good catch! corrected.

This works for me (with 0.0.0.0/0), it works in telegram, but for some reason it breaks all browsers, firefox and chromium based. If I try to open wikipedia in the browser I'll get timeout. But if I do curl https://wikipedia.org it loads wiki perfectly fine. Weird.

solved my issue by lowering MTU to 1100