Need up setting up wg-easy with wstunnel

[mosheung130]

Sorry if I post this in the wrong place, I am very new to Github and codes.

Does wstunnel work with wg-easy?

In the section "Wireguard and wstunnel" on the github page, under the "on your local machine start the client like this" it list the port as 51280 while under "change your wireguard client config to something" it is 51820, if they are the same it should work right?

Do I need a website for this, if so how would it work with wg-easy with wstunnel? When I tried it, the client side gave me something like no such host is known, os error 11001 (window10), and bad certificate on server side, I have no idea how to fix that.

When I did it without a website (using server ip instead) i get this on the server side

: wstunnel::tunnel::server: Doing TLS handshake id="id number thing" remote="localhost:51280"}: wstunnel::tunnel::server: Rejecting connection with not allowed destination: localhost:51280 id="id number thing" remote="localhost:51280"}: wstunnel::tunnel::server: Rejecting connection with bad upgrade request: Invalid upgrade request /morille/events?bearer= stuff here

and got cannot connect due to timeout of 10s elapsed from client side

Under "Add a default route to your server, as your AllowedIps are catch-all, it is to avoid the traffic looping.", the router gateway and the ip of the website the same, is it ok?

I been trying to get this work for maybe a few months already, please help me. I just want this to work.

[erebe]

Hello,

Yes it should work with wg-easy, even if I have never used it myself. If you use the docker cmd line from the readme, it is not going to work out-of-the-box with localhost due to networking isolation.

$ docker run -d \
  --name=wg-easy \
  -e WG_HOST=🚨YOUR_SERVER_IP \
  -e PASSWORD=🚨YOUR_ADMIN_PASSWORD \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

In this case, localhost will refer to within the docker container, and I suppose, your wstunnel client is not started inside this container, but on your host machine.

Try to replace localhost by the ip of your host machine

❯ ip route | grep default
default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002

the ip should be 192.168.0.194 just after src

and start your client with -L udp://192.168.0.194:51820:remote_host:51820 Warning by doing so your tunnel client is going to listen/accept request from your lan network

[SadarSSI]

Hello,

I'm not sure I understand what you're trying to do:

• Using the VPN outbound and with the wstunnel client do you want to reach a wstunnel server elsewhere on the net?
• Or use the VPN to have a public @IP with a wstunnel server to connect from the internet?

In some cases, I use it to display html on https://mysubdom.mydom.fr and reverse proxy to the wstunnel process.

No, Apache server is not needed.

I use it to display astatic html on https://mysubdom.mydom.fr and reverse proxy it to the wstunnel process.

Personally, I use wstunnel to do ssh over https and create one or more tunnels to resources on a local network.

If you wish, I can provide you with an example configuration with the dockerfile, the docker-compose.yaml and the startup scripts. You should be able to contact me via github

[mosheung130]

Hello,

Yes it should work with wg-easy, even if I have never used it myself. If you use the docker cmd line from the readme, it is not going to work out-of-the-box with localhost due to networking isolation.

$ docker run -d \
  --name=wg-easy \
  -e WG_HOST=🚨YOUR_SERVER_IP \
  -e PASSWORD=🚨YOUR_ADMIN_PASSWORD \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

In this case, localhost will refer to within the docker container, and I suppose, your wstunnel client is not started inside this container, but on your host machine.

Try to replace localhost by the ip of your host machine

❯ ip route | grep default
default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002

the ip should be 192.168.0.194 just after src

and start your client with -L udp://192.168.0.194:51820:remote_host:51820 Warning by doing so your tunnel client is going to listen/accept request from your lan network

Sorry for the confusion, I been using wg-easy with the server IP already, but I don't understand this following part. ❯ ip route | grep default default via 192.168.0.1 dev wlo1 proto dhcp src 192.168.0.194 metric 3002

When I run the command (ip route | grep default) without the (>) I get this, I think I route that before, Is that backwards? the enp1s0 is what wg-easy in docker is running on I think.

default via 139.180.172.1 dev enp1s0

also when I tried running this command

./wstunnel client -L 'udp://myip:51820:remote_host:51820'

it gave me this error

error: invalid value 'udp://myip:remote_host:51820' for '--local-to-remote {tcp,udp,socks5,stdio}://[BIND:]PORT:HOST:PORT': cannot parse bind port from remote_host

Sorry, what might I be doing wrong?

[mosheung130]

Hello,

I'm not sure I understand what you're trying to do:

• Using the VPN outbound and with the wstunnel client do you want to reach a wstunnel server elsewhere on the net?
• Or use the VPN to have a public @ip with a wstunnel server to connect from the internet?

In some cases, I use it to display html on https://mysubdom.mydom.fr and reverse proxy to the wstunnel process.

No, Apache server is not needed.

I use it to display astatic html on https://mysubdom.mydom.fr and reverse proxy it to the wstunnel process.

Personally, I use wstunnel to do ssh over https and create one or more tunnels to resources on a local network.

If you wish, I can provide you with an example configuration with the dockerfile, the docker-compose.yaml and the startup scripts. You should be able to contact me via github

I am just trying to hide wireguard traffic as normal traffic (http or https I forgot), I some how can't open both the links.

[SadarSSI]

Okay, so you want to set up a connection like this:

PC1 Windows or Linux --> VireGuard client --> wstunnel --> internet --> PC2 Linux or Windows --> wstunnel --> VG server

This means that you need to do the following:

On PC1, redirect the destination VireGuard port to wstunnel. Then, wstunnel should connect to an address like ws://PC2.com:443 or ws://PC2.com:80.

On PC2, wstunnel should listen on port 443 or 80 and redirect to the VG server port.

Is that right ?

The wstunnel command on the PC1 should be something like this: wstunnel client -L 'udp://51280:localhost:51280?timeout_sec=0' ws://PC2.com:443 [--http-proxy=your.enterprise-proxy:3128]

The command on PC2 (VireGuard server) should be something like this: wstunnel server --restrict-to localhost:51820 wss://[::]:443 or wstunnel server --restrict-to localhost:51820 wss://0.0.0.0:443

Your command _./wstunnel client -L 'udp://myip:51820:remote_host:51820'_ is not correct.

[mosheung130]

Oh yes I see, will try that thanks very much.

[SadarSSI]

If you are having trouble configuring the VPN with wsstunnel, I suggest you try to first get it working with openssh. Once openssh is working, you will have validated the functioning of wstunnel between your client and your server.

Openssh On the client side, you should have a command like this:

ssh user@remoteLocal_IP -t -o proxycommand="wstunnel client -L stdio://%h:%p wss://yourdomain.com:443 [--http-proxy=enterpriseproxy:3128]" -L 2222:LocalIPWindows:3389

For example : ssh user@192.168.10.25 -t -o proxycommand="wstunnel client -L stdio://%h:%p wss://yourdomain.com:443 [--http-proxy=enterpriseproxy:3128]" -L 2222:192.168.10.32:3389

[--http-proxy=enterpriseproxy:3128] --> If you need to use a corporate proxy to make traffic flow out via port 443 or 80

On the server side, you should have a command like this: wstunnel server --restrict-to 192.168.10.25:22 wss://0.0.0.0:443 --> If you want to restrict access to the server 192.168.10.25 or wstunnel server wss://0.0.0.0:443 --> If you don't want to restrict access to a single server

On the SSH server side: It is recommended to only accept SSH key-based authentication. On the SSH client side: Have an SSH config file (.ssh/config) with:

host *
ForwardAgent yes

[klementng]

@mosheung130

Does wstunnel work with wg-easy?

Yes it will work. I've been using it myself for my own setup for many months now.

I set it up in way where the wg-easy and wstunnel container will share a common container for networking. Here is modified/simplified configuration from my own setup:

services:
  wg-easy:
    image: weejewel/wg-easy
    container_name: wg-easy
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - TZ=${TZ}
      - PASSWORD=${TUN_WG_EASY_PASSWORD}

      - WG_HOST=  #external domain/ip
      - WG_PORT=443 #external facing port
      - WG_DEVICE=eth0
      - WG_DEFAULT_ADDRESS=10.6.0.x
      - WG_PERSISTENT_KEEPALIVE=21
    ports:
      # expose all port from the  "main" networking container
      - 443:51820/udp    #wg
      - 51820:51820/udp  #wg
      - 8001:51821/tcp #wg-easy interface 
      - 8399:8399 # wstunnel
    labels:
      - "com.centurylinklabs.watchtower.monitor-only=true"  
    restart: unless-stopped                          

  wstunnel:
    image: ghcr.io/erebe/wstunnel
    container_name: wstunnel
    environment:
      - TZ=${TZ}
    command: /home/app/wstunnel server wss://0.0.0.0:8399 --restrict-to=127.0.0.1:51820 --restrict-http-upgrade-path-prefix ${TUN_WSTUNNEL_SECRET}
    network_mode: service:wg-easy # or you can use container:container_name
    labels:
      - "com.centurylinklabs.watchtower.monitor-only=true"
    restart: unless-stopped

and to connect to it, I've been using an python application/script that I've written for myself