Skip to content

Instantly share code, notes, and snippets.

@hamid-rostami
Last active August 22, 2024 08:46
Show Gist options
  • Save hamid-rostami/5ed34fe1948f40685f7035de36be7035 to your computer and use it in GitHub Desktop.
Save hamid-rostami/5ed34fe1948f40685f7035de36be7035 to your computer and use it in GitHub Desktop.
wireguard over TCP

To pass wireguard's traffic through a TCP tunnel by using udp2raw

Requirements

For Arch linux, install udp2raw by pacman: pacman -S udp2raw

For Debian or Ubuntu, you can use a binary release from: https://github.com/wangyu-/udp2raw/releases

Then, install it under /sbin directory. For example, on a x86_64 system:

wget https://github.com/wangyu-/udp2raw/releases/download/20200818.0/udp2raw_binaries.tar.gz
tar xzvf udp2raw_binaries.tar.gz
sudo mv udp2raw_amd64 /sbin

Instruction:

  • Replace private and public keys in configuration files
  • Replace password in udp2raw command in both server's and client's configuration file
  • Change YOUR-SERVER-IP in client's config file (in udp2raw command) to your server IP address
  • On both server and client, copy corresponding config file to /etc/wireguard/wg0
  • Start wireguard on both server and client: sudo systemclt start wg-quick@wg0
  • Check connectivity by performing a ping command from client: ping 10.8.0.1

Notes:

  • Please note that based on the configuration provided, by udp2raw command, port 4096 of your server will be exposed to the world. Of course, you can change it to another port number.
  • If it doesn't work, remove PreUp and Postdown lines from both configs and run udp2raw commands in command-line with a --log-level option to see if TCP tunnel can be successfully established.
# Client configuration
[Interface]
PrivateKey = YOUR-CLIENT-PRIVATE-KEY
Address = 10.8.0.2/32
MTU = 1200
PreUp = udp2raw -c -l 127.0.0.1:51820 -r YOUR-SERVER-IP:4096 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"
[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.0/24
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 20
# Server configuration
[Interface]
Address = 10.8.0.1/24
MTU = 1200
ListenPort = 51820
PrivateKey = YOUR-SERVER-PRIVATE-KEY
PreUp = sudo udp2raw -s -l 0.0.0.0:4096 -r 127.0.0.1:51820 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"
# Add your peers here
[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.2/32
@wangyu-
Copy link

wangyu- commented Jun 10, 2024

NOTE: this will not work with AllowedIPs = 0.0.0.0/0 for example, as the udp2raw tunnel would break.

another possibility is setting up an explicit route for the server IP as described in https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/#point-to-internet

Yes. If you need 0.0.0.0/0. Just added a explicit rout for the server IP at client side:

ip route add ${YOUR_SERVER_IP} via  ${YOUR_GATEWAY}

@wangyu-
Copy link

wangyu- commented Jun 10, 2024

Can you help me , both client and server udp2raw log :

[2023-11-13 07:02:43][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!

In 80% case, it means your -k/--key or --cipher-mode --auth-mode doesn't match on client and server side. In this case, it's an easy fix.

In 5% case, it means your internet connection doesn't allow the packet constructed by raw socket to passthrough transparently (It might be because of your client's ISP or virtual machine's network adapter mode; or something related to your server's network infrastructure). In this case, you can barely do anything other than changing the ISP or server provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment