wireguard & wstunnel (7.x.x)

[Zloi78]

Having a problem upgrading to 7.x.x using wireguard with wstunnel (with nginx).

I set up the connection according to the guide at https://kirill888.github.io/notes/wireguard-via-websocket/ And on version 6.0 everything worked great.

In version 6.0 I use the following settings:

server: wstunnel --server ws://127.0.0.1:33344 --restrictTo=127.0.0.1:51820

client: wstunnel -u --udpTimeoutSec -1 -L 0.0.0.0:33355:127.0.0.1:51820 wss://xxx.yyy.zzz

Connection established!

In version 7.x.x I use the following settings:

server: wstunnel server ws://127.0.0.1:33344 --restrict-to=127.0.0.1:51820

client: wstunnel client -L udp://33355:127.0.0.1:51820 wss://xxx.yyy.zzz

No connection!

What am I doing wrong?

[erebe]

Hello,

Can you run the client and the server with this env variable set RUST_LOG=trace and paste the output for the client and the server.

Besides that, one thing I can see is that in the old version your tunnel was listening on all interfaces

wstunnel -u --udpTimeoutSec -1 -L 0.0.0.0:33355:127.0.0.1:51820 wss://xxx.yyy.zzz

note the 0.0.0.0

while with the new command line you are only listening on the loopback interface

wstunnel client -L udp://33355:127.0.0.1:51820 wss://xxx.yyy.zzz

Try with

wstunnel client -L 'udp://0.0.0.0:33355:127.0.0.1:51820?timeout_sec=0' wss://xxx.yyy.zzz

[Zloi78]

Try with

wstunnel client -L 'udp://0.0.0.0:33355:127.0.0.1:51820?timeout_sec=0' wss://xxx.yyy.zzz

Yes. My mistake was exactly this. Thank you!

[Zloi78]

One more problem.

These are the iperf3 results I get from both versions:

MTU = 1320

v.6.0

iperf3 -c 192.168.1.2 -t 10 warning: Ignoring nonsense TCP MSS -2146716928 Connecting to host 192.168.1.2, port 5201 [ 5] local 192.168.0.2 port 16545 connected to 192.168.1.2 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 384 KBytes 3.13 Mbits/sec [ 5] 1.00-2.01 sec 1.62 MBytes 13.6 Mbits/sec [ 5] 2.01-3.01 sec 1.00 MBytes 8.36 Mbits/sec [ 5] 3.01-4.02 sec 640 KBytes 5.23 Mbits/sec [ 5] 4.02-5.00 sec 640 KBytes 5.31 Mbits/sec [ 5] 5.00-6.01 sec 768 KBytes 6.27 Mbits/sec [ 5] 6.01-7.01 sec 768 KBytes 6.27 Mbits/sec [ 5] 7.01-8.01 sec 512 KBytes 4.18 Mbits/sec [ 5] 8.01-9.00 sec 512 KBytes 4.24 Mbits/sec [ 5] 9.00-10.01 sec 512 KBytes 4.18 Mbits/sec

---

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.01 sec 7.25 MBytes 6.08 Mbits/sec sender [ 5] 0.00-10.22 sec 6.47 MBytes 5.31 Mbits/sec receiver

v.7.2.0

iperf3 -c 192.168.1.2 -t 10 warning: Ignoring nonsense TCP MSS -2146716928 Connecting to host 192.168.1.2, port 5201 [ 5] local 192.168.0.2 port 17642 connected to 192.168.1.2 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 256 KBytes 2.10 Mbits/sec [ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec [ 5] 2.00-3.01 sec 0.00 Bytes 0.00 bits/sec [ 5] 3.01-4.01 sec 0.00 Bytes 0.00 bits/sec [ 5] 4.01-5.02 sec 0.00 Bytes 0.00 bits/sec [ 5] 5.02-6.00 sec 0.00 Bytes 0.00 bits/sec [ 5] 6.00-7.01 sec 0.00 Bytes 0.00 bits/sec [ 5] 7.01-8.01 sec 0.00 Bytes 0.00 bits/sec [ 5] 8.01-9.01 sec 0.00 Bytes 0.00 bits/sec [ 5] 9.01-10.00 sec 0.00 Bytes 0.00 bits/sec

---

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 256 KBytes 210 Kbits/sec sender [ 5] 0.00-10.22 sec 11.2 KBytes 9.02 Kbits/sec receiver

Direct connection (without wstunnel)

iperf3 -c 192.168.1.2 -t 10 warning: Ignoring nonsense TCP MSS -2146716928 Connecting to host 192.168.1.2, port 5201 [ 5] local 192.168.0.2 port 17537 connected to 192.168.1.2 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.01 sec 7.62 MBytes 63.4 Mbits/sec [ 5] 1.01-2.00 sec 4.88 MBytes 41.1 Mbits/sec [ 5] 2.00-3.01 sec 9.25 MBytes 77.3 Mbits/sec [ 5] 3.01-4.01 sec 8.25 MBytes 69.0 Mbits/sec [ 5] 4.01-5.00 sec 7.00 MBytes 59.2 Mbits/sec [ 5] 5.00-6.00 sec 4.00 MBytes 33.5 Mbits/sec [ 5] 6.00-7.00 sec 3.88 MBytes 32.6 Mbits/sec [ 5] 7.00-8.01 sec 4.00 MBytes 33.3 Mbits/sec [ 5] 8.01-9.01 sec 4.62 MBytes 39.0 Mbits/sec [ 5] 9.01-10.00 sec 4.38 MBytes 36.9 Mbits/sec

---

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 57.9 MBytes 48.5 Mbits/sec sender [ 5] 0.00-10.11 sec 54.3 MBytes 45.1 Mbits/sec receiver

[erebe]

Can you share how you start the client and the server, and the command to start iperf3 server side ?

[Zloi78]

The server part of both version 6 and version 7 is launched on Synology in docker and in reverse proxy mode. Here is the docker compose data:

v.6.0 version: "3.5" services: wstunnel-s: image: zloi78/wstunnel:6.0 command: wstunnel --server ws://127.0.0.1:33344 --restrictTo=127.0.0.1:51820 container_name: wstunnel-s network_mode: "host" ports:

• 33344:33344 restart: always

v.7.2.0 version: "3.5" services: wstunnel-s: image: zloi78/wstunnel:latest command: wstunnel server ws://127.0.0.1:33344 --restrict-to=127.0.0.1:51820 container_name: wstunnel-s network_mode: "host" ports:

• 33344:33344 restart: always

The client part is running on the NUC (also in Docker). Here is the docker compose data:

v.6.0 version: "3.5" services: wstunnel-c: image: zloi78/wstunnel:6.0 command: wstunnel -u --udpTimeoutSec -1 -L 0.0.0.0:33355:127.0.0.1:51820 wss://xxx.yyy.zzz container_name: wstunnel-c-ds network_mode: "host" ports:

• 33355:33355 restart: always

v.7.2.0 version: "3.5" services: wstunnel-c: image: zloi78/wstunnel:latest command: wstunnel client -L udp://0.0.0.0:33355:127.0.0.1:51820 wss://xxx.yyy.zzz container_name: wstunnel-c-ds network_mode: "host" ports:

• 33355:33355 restart: always

And the iperf3 server side command:

iperf -s

[erebe]

All works fine for me. I have the same kind of setup than you, I guess. wsclient ---> nginx ---> wstunnel server

A couple of note.

• With iperf3 if you want to test udp, you still need a tcp connection to the iperf server (so you need a tcp tunnel on the client)
• On wstunnel client for the udp tunnel, you need to add ?timeout_sec=0' to avoid auto closing the tunnel after 30 sec

You can find below my runs

[erebe]

Hello,

I had time to dig into the issue with wireguard, and you may want to use the new release https://github.com/erebe/wstunnel/releases/tag/v7.7.2 , it improves throughput by a lot. Wireguard requires to respect its udp framing, which wstunnel 7.x was not doing before.

[erebe]

Release https://github.com/erebe/wstunnel/releases/tag/v7.8.0, should be the real deal :)

[Zloi78]

• On wstunnel client for the udp tunnel, you need to add ?timeout_sec=0' to avoid auto closing the tunnel after 30 sec

Is it also recommended to set this in version 7.8.0?

[Kirill888]

Not directly related to the issue, but I thought I'll mention anyway:

I see there is now a --tls-sni-override= option on the client, so all that fiddling with /etc/hosts or using dnsmasq is no longer necessary, instead use ip address + tls-sni-override option to establish the tunnel.

[erebe]

@Zloi78 if you are tunneling VPN traffic, yes absolutely

@Kirill888 you right, and just to add. Don't forget to set the HTTP host header if you are behind a CDN

I am closing the issue. Feel free to re-open if the performance are nok.