Closed mosheung130 closed 2 months ago
Hello,
Yes it should work with wg-easy, even if I have never used it myself.
If you use the docker cmd line from the readme, it is not going to work out-of-the-box with localhost
due to networking isolation.
$ docker run -d \
--name=wg-easy \
-e WG_HOST=🚨YOUR_SERVER_IP \
-e PASSWORD=🚨YOUR_ADMIN_PASSWORD \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
ghcr.io/wg-easy/wg-easy
In this case, localhost will refer to within the docker container, and I suppose, your wstunnel client is not started inside this container, but on your host machine.
Try to replace localhost by the ip of your host machine
❯ ip route | grep default
default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002
the ip should be 192.168.0.194
just after src
and start your client with -L udp://192.168.0.194:51820:remote_host:51820
Warning by doing so your tunnel client is going to listen/accept request from your lan network
Hello,
I'm not sure I understand what you're trying to do:
In some cases, I use it to display html on https://mysubdom.mydom.fr and reverse proxy to the wstunnel process.
No, Apache server is not needed.
I use it to display astatic html on https://mysubdom.mydom.fr and reverse proxy it to the wstunnel process.
Personally, I use wstunnel to do ssh over https and create one or more tunnels to resources on a local network.
If you wish, I can provide you with an example configuration with the dockerfile, the docker-compose.yaml and the startup scripts. You should be able to contact me via github
Hello,
Yes it should work with wg-easy, even if I have never used it myself. If you use the docker cmd line from the readme, it is not going to work out-of-the-box with
localhost
due to networking isolation.$ docker run -d \ --name=wg-easy \ -e WG_HOST=🚨YOUR_SERVER_IP \ -e PASSWORD=🚨YOUR_ADMIN_PASSWORD \ -v ~/.wg-easy:/etc/wireguard \ -p 51820:51820/udp \ -p 51821:51821/tcp \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --sysctl="net.ipv4.ip_forward=1" \ --restart unless-stopped \ ghcr.io/wg-easy/wg-easy
In this case, localhost will refer to within the docker container, and I suppose, your wstunnel client is not started inside this container, but on your host machine.
Try to replace localhost by the ip of your host machine
❯ ip route | grep default default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002
the ip should be
192.168.0.194
just after srcand start your client with
-L udp://192.168.0.194:51820:remote_host:51820
Warning by doing so your tunnel client is going to listen/accept request from your lan network
Sorry for the confusion, I been using wg-easy with the server IP already, but I don't understand this following part. ❯ ip route | grep default default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002
When I run the command (ip route | grep default) without the (>) I get this, I think I route that before, Is that backwards? the enp1s0 is what wg-easy in docker is running on I think.
default via 139.180.172.1 dev enp1s0
also when I tried running this command
./wstunnel client -L 'udp://myip:51820:remote_host:51820'
it gave me this error
error: invalid value 'udp://myip:remote_host:51820' for '--local-to-remote {tcp,udp,socks5,stdio}://[BIND:]PORT:HOST:PORT': cannot parse bind port from remote_host
Sorry, what might I be doing wrong?
Hello,
I'm not sure I understand what you're trying to do:
- Using the VPN outbound and with the wstunnel client do you want to reach a wstunnel server elsewhere on the net?
- Or use the VPN to have a public @ip with a wstunnel server to connect from the internet?
In some cases, I use it to display html on https://mysubdom.mydom.fr and reverse proxy to the wstunnel process.
No, Apache server is not needed.
I use it to display astatic html on https://mysubdom.mydom.fr and reverse proxy it to the wstunnel process.
Personally, I use wstunnel to do ssh over https and create one or more tunnels to resources on a local network.
If you wish, I can provide you with an example configuration with the dockerfile, the docker-compose.yaml and the startup scripts. You should be able to contact me via github
I am just trying to hide wireguard traffic as normal traffic (http or https I forgot), I some how can't open both the links.
Okay, so you want to set up a connection like this:
PC1 Windows or Linux --> VireGuard client --> wstunnel --> internet --> PC2 Linux or Windows --> wstunnel --> VG server
This means that you need to do the following:
On PC1, redirect the destination VireGuard port to wstunnel. Then, wstunnel should connect to an address like ws://PC2.com:443 or ws://PC2.com:80.
On PC2, wstunnel should listen on port 443 or 80 and redirect to the VG server port.
Is that right ?
The wstunnel command on the PC1 should be something like this:
wstunnel client -L 'udp://51280:localhost:51280?timeout_sec=0' ws://PC2.com:443 [--http-proxy=your.enterprise-proxy:3128]
The command on PC2 (VireGuard server) should be something like this:
wstunnel server --restrict-to localhost:51820 wss://[::]:443
or
wstunnel server --restrict-to localhost:51820 wss://0.0.0.0:443
Your command _./wstunnel client -L 'udp://myip:51820:remote_host:51820'_
is not correct.
Oh yes I see, will try that thanks very much.
If you are having trouble configuring the VPN with wsstunnel, I suggest you try to first get it working with openssh. Once openssh is working, you will have validated the functioning of wstunnel between your client and your server.
Openssh On the client side, you should have a command like this:
ssh user@remoteLocal_IP -t -o proxycommand="wstunnel client -L stdio://%h:%p wss://yourdomain.com:443 [--http-proxy=enterpriseproxy:3128]" -L 2222:LocalIPWindows:3389
For example :
ssh user@192.168.10.25 -t -o proxycommand="wstunnel client -L stdio://%h:%p wss://yourdomain.com:443 [--http-proxy=enterpriseproxy:3128]" -L 2222:192.168.10.32:3389
[--http-proxy=enterpriseproxy:3128] --> If you need to use a corporate proxy to make traffic flow out via port 443 or 80
On the server side, you should have a command like this:
wstunnel server --restrict-to 192.168.10.25:22 wss://0.0.0.0:443
--> If you want to restrict access to the server 192.168.10.25
or
wstunnel server wss://0.0.0.0:443
--> If you don't want to restrict access to a single server
On the SSH server side: It is recommended to only accept SSH key-based authentication. On the SSH client side: Have an SSH config file (.ssh/config) with:
host *
ForwardAgent yes
@mosheung130
Does wstunnel work with wg-easy?
Yes it will work. I've been using it myself for my own setup for many months now.
I set it up in way where the wg-easy and wstunnel container will share a common container for networking. Here is modified/simplified configuration from my own setup:
services:
wg-easy:
image: weejewel/wg-easy
container_name: wg-easy
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- TZ=${TZ}
- PASSWORD=${TUN_WG_EASY_PASSWORD}
- WG_HOST= #external domain/ip
- WG_PORT=443 #external facing port
- WG_DEVICE=eth0
- WG_DEFAULT_ADDRESS=10.6.0.x
- WG_PERSISTENT_KEEPALIVE=21
ports:
# expose all port from the "main" networking container
- 443:51820/udp #wg
- 51820:51820/udp #wg
- 8001:51821/tcp #wg-easy interface
- 8399:8399 # wstunnel
labels:
- "com.centurylinklabs.watchtower.monitor-only=true"
restart: unless-stopped
wstunnel:
image: ghcr.io/erebe/wstunnel
container_name: wstunnel
environment:
- TZ=${TZ}
command: /home/app/wstunnel server wss://0.0.0.0:8399 --restrict-to=127.0.0.1:51820 --restrict-http-upgrade-path-prefix ${TUN_WSTUNNEL_SECRET}
network_mode: service:wg-easy # or you can use container:container_name
labels:
- "com.centurylinklabs.watchtower.monitor-only=true"
restart: unless-stopped
and to connect to it, I've been using an python application/script that I've written for myself
Sorry if I post this in the wrong place, I am very new to Github and codes.
Does wstunnel work with wg-easy?
In the section "Wireguard and wstunnel" on the github page, under the "on your local machine start the client like this" it list the port as 51280 while under "change your wireguard client config to something" it is 51820, if they are the same it should work right?
Do I need a website for this, if so how would it work with wg-easy with wstunnel? When I tried it, the client side gave me something like no such host is known, os error 11001 (window10), and bad certificate on server side, I have no idea how to fix that.
When I did it without a website (using server ip instead) i get this on the server side
: wstunnel::tunnel::server: Doing TLS handshake id="id number thing" remote="localhost:51280"}: wstunnel::tunnel::server: Rejecting connection with not allowed destination: localhost:51280 id="id number thing" remote="localhost:51280"}: wstunnel::tunnel::server: Rejecting connection with bad upgrade request: Invalid upgrade request /morille/events?bearer= stuff here
and got cannot connect due to timeout of 10s elapsed from client side
Under "Add a default route to your server, as your AllowedIps are catch-all, it is to avoid the traffic looping.", the router gateway and the ip of the website the same, is it ok?
I been trying to get this work for maybe a few months already, please help me. I just want this to work.