Wireguard tunneling over Websocket (wstunnel) does not work

[mansjals]

Hello,

My wstunnel for wireguard does not work. I use a VPS which I control as my server. Wireguard connection between client and server without tunneling works without problems. As soon as I start tunneling via wstunnel data transmission stops completely. I followed the description at "erebe" and "jnsgruk" for implementation. I tried wstunnel v5.0.0 as well as newest version v.7.9.1.

1) journalctl output from server side seems ok:

Nov 05 08:58:57 systemd[1]: Started Tunnel WG UDP over websocket. Nov 05 08:58:57 wstunnel[5423]: 2023-11-05T08:58:57.662251Z INFO wstunnel: WsServerConfig { socket_so_mark: None, bind: 0.0.0.0:443, restrict_to: Some(["127.0.0.1:51820"]), websoc> Nov 05 08:58:57 wstunnel[5423]: 2023-11-05T08:58:57.662270Z INFO wstunnel::tunnel::server: Starting wstunnel server listening on 0.0.0.0:443

2) firewall for server is configured to accept connections at port 443/tcp.

I think the problem is on client side. There I do not know how to get proper debug messages. Client runs with newly installed Ubuntu 22.04.3 LTS. "wg show" command shows no data exchanged: transfer: 0 B received, 148 B sent.

How could I start with error search on client side?

[yu-james]

If these are all the INFOs you got at wstunnel server, it seems your wstunnel client hasn't initated any WS connection.

What log did you get from wstunnel client side?

[mansjals]

I do not know how to get logs for wstunnel on client side.

1) When I run wireguard as a service on client side I get the following log output from the service log:

command as root #journalctl -fu wg-quick@wg0.service wg-quick[5461]: [#] ip link add wg0 type wireguard wg-quick[5461]: [#] wg setconf wg0 /dev/fd/63 sudo[5477]: root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/wstunnel --quiet --udpTimeoutSec -1 --upgradePathPrefix wstunnel --udp -L 127.0.0.1:51820:127.0.0.1:51820 wss://'IP_of_VPS':443 wg-quick[5461]: [#] ip -4 address add 10.0.0.2 dev wg0 sudo[5477]: pam_unix(sudo:session): session opened for user nobody(uid=65534) by (uid=0) wg-quick[5461]: [#] ip link set mtu 1300 up dev wg0 sudo[5477]: pam_unix(sudo:session): session closed for user nobody wg-quick[5493]: [#] resolvconf -a tun.wg0 -m 0 -x wg-quick[5461]: [#] source /etc/wireguard/wstunnel.sh && post_up wg0 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

2) On client side command as root #wg show interface: wg0 public key: "public key of client" private key: (hidden) listening port: 56228

peer: "public key of server" endpoint: 127.0.0.1:51820 allowed ips: 0.0.0.0/0, ::/0 transfer: 0 B received, 28.18 KiB sent persistent keepalive: every 25 seconds

3) On client side command as root #ping google.com PING google.com (142.250.203.206) 56(84) bytes of data. ^X^C --- google.com ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 9216ms

[erebe]

Hello,

Most likely becuase of the 2nd point of the FAQ https://github.com/erebe/wstunnel#wireguard-and-wstunnel

If wstunnel cannot connect to server while wireguard is on, be sure you have added a static route via your main gateway for the ip of wstunnel server. Else if you forward all the traffic without putting a static route, you will endup looping your traffic wireguard interface -> wstunnel client -> wireguard interface

As you have set a catch-all allowed ips: 0.0.0.0/0, ::/0 on your wireguard client, traffic is looping. Try setting a static route to your server.

sudo ip route add ip_server dev your_network_interface via ip_gtw
I.e: sudo ip route add 195.154.119.61 dev enp5s0 via 192.168.1.1

P.s: Also, please user version 7.9.1, I am not going to provide support for previous version.

[yu-james]

In addition, looks like you are using the old command line syntax at client. _sudo[5477]: root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/wstunnel --quiet --udpTimeoutSec -1 --upgradePathPrefix wstunnel --udp -L 127.0.0.1:51820:127.0.0.1:51820 wss://'IP_ofVPS':443

Should be this for 7.9.1: wstunnel client -L udp://127.0.0.1:51820:localhost:51820?timeout_sec=0 --http-upgrade-path-prefix wstunnel wss://'IP_of_VPS'

And if you are going to use --upgradePathPrefix, make sure it's correct at the server too.

[klementng]

@mansjals I have written a python script for myself that should automatically configure the the client side wstunnel and wireguard at https://github.com/klementng/wireguard-over-wstunnel/. It seem similar to your use case so maybe you could try it out and see if it works.

[mansjals]

Thank you all for your support. @erebe: I added the route as described by you. It was indeed missing. @yu-james: Thank you for the comment. The wrong command was defined in the wstunnel.sh script. This script was written for the old Haskell wstunnel.

Still, unfortunately, it does not work. What is the most simple setup I can choose to tunnel Wireguard through wstunnel? Do I need the wstunnel.sh script which is used in kirill888 description (Readme.md, chapter "Wireguard and wstunnel") or can I set it up without this script? Until now I used this tunnel.sh script: https://github.com/jnsgruk/wireguard-over-wss. I tried to get the setup to function without it (only command line on client and server side for wstunnel). But it also does not work.

[yu-james]

When you ran client separately, did it show any log indicating it has got the packet from wireguard and attempted to open a connection to server? Or what is the log from client?

[erebe]

Can you describe your client setup and server setup ? And also provide the log of the client and server start with the environment variable RUST_LOG=debug set please :pray:

Or you can use the project of @klementng to setup your tunnel.

P.s: I am taking some vacation, so I am going offline until end of november

[mansjals]

@mansjals I have written a python script for myself that should automatically configure the the client side wstunnel and wireguard at https://github.com/klementng/wireguard-over-wstunnel/. It seem similar to your use case so maybe you could try it out and see if it works.

Yes, the script works without any problems. It is a great tool. Is my understanding correct that wireguard and wstunnel run only as long as the script is running?

My main problem is that I do not understand how to set up wstunnel for wireguard. All information for wstunnel I found online refer to the Haskell version of wstunnel and includes the wstunnel.sh script. I have no idea how to setup wstunnel v7.x for wireguard.

[mansjals]

Thank you all for your support. It is working now. I tried to reproduce the script from @klementng. It was successful. I also had to add a new ip route. Everything so easy once you know how to do it. wstunnel.sh is not required.