v10.1.3 broke Wireguard over wstunnel with Nginx (error while reading from tunnel rx Unexpected EOF)

[Mellowchan]

Describe the bug

I have upgraded to the latest version (10.1.3) of wstunnel and my wireguard setup with wstunnel and nginx did break.

To Reproduce

Upgrade to 10.1.3 Downgrading to 10.1.1 fixes the issue. (I did not try 10.1.2)

Expected behavior

Wireguard connects over wstunnel and nginx as it does normally.

Your wstunnel setup

Paste your logs of wstunnel, started with --log-lvl=DEBUG, and with the command line used

• client wireguard (keys are censored):

  
  [Interface]
  PrivateKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
  Address = 192.168.5.2/24
  DNS = 8.8.8.8
  MTU = 1300

PreUp = ip route add 8.8.8.8 via "$(ip route get 8.8.8.8 | cut -d" " -f3 | sed -n '1p')" && ip route add 46.39.188.4 via "$(ip route get 46.39.188.4 | cut -d" " -f3 | sed -n '1p')" PostDown = ip route delete 46.39.188.4 ; ip route delete 8.8.8.8

[Peer] PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 127.0.0.1:51820 PersistentKeepalive = 20

wstunnel (path prefix is censored):

wstunnel client --log-lvl=TRACE -L 'udp://0.0.0.0:51820:127.0.0.1:51820?timeout_sec=0' --http-upgrade-path-prefix 'ZZZZZZZZZZZZZZZ'' wss://malisek.org:443

log (the end of the log has the actual error message):

2024-10-08T14:51:55.712230Z TRACE hickory_resolver::async_resolver: handle passed back 2024-10-08T14:51:55.712262Z INFO wstunnel: Starting wstunnel client v10.1.3 2024-10-08T14:51:55.712269Z INFO wstunnel::protocols::udp::server: Starting UDP server listening cnx on 0.0.0.0:51820 with cnx timeout of 0s 2024-10-08T14:51:59.917660Z INFO wstunnel::protocols::udp::server: New UDP connection from 127.0.0.1:58755 2024-10-08T14:51:59.917791Z INFO cnx_server: wstunnel::protocols::tcp::server: Opening TCP connection to malisek.org:443 2024-10-08T14:51:59.917883Z DEBUG cnx_server: hickory_proto::xfer::dns_handle: querying: malisek.org A 2024-10-08T14:51:59.917925Z DEBUG cnx_server: hickory_resolver::name_server::name_server_pool: sending request: [Query { name: Name("malisek.org"), query_type: A, query_class: IN }] 2024-10-08T14:51:59.917968Z DEBUG cnx_server: hickory_resolver::name_server::name_server: reconnecting: NameServerConfig { socket_addr: 8.8.8.8:53, protocol: Udp, tls_dns_name: None, trust_negative_responses: false, tls_config: None, bind_addr: None } 2024-10-08T14:51:59.918001Z DEBUG cnx_server: hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("malisek.org"), query_type: A, query_class: IN }] 2024-10-08T14:51:59.918027Z DEBUG cnx_server: hickory_proto::xfer::dns_handle: querying: malisek.org AAAA 2024-10-08T14:51:59.918045Z DEBUG cnx_server: hickory_resolver::name_server::name_server_pool: sending request: [Query { name: Name("malisek.org"), query_type: AAAA, query_class: IN }] 2024-10-08T14:51:59.918063Z DEBUG cnx_server: hickory_resolver::name_server::name_server: existing connection: NameServerConfig { socket_addr: 8.8.8.8:53, protocol: Udp, tls_dns_name: None, trust_negative_responses: false, tls_config: None, bind_addr: None } 2024-10-08T14:51:59.918116Z DEBUG cnx_server: hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("malisek.org"), query_type: AAAA, query_class: IN }] 2024-10-08T14:51:59.918169Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 19252:QUERY:RD:NoError:QUERY:0/0/0 ; query ;; malisek.org. IN A

2024-10-08T14:51:59.918186Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 2472:QUERY:RD:NoError:QUERY:0/0/0 ; query ;; malisek.org. IN AAAA

2024-10-08T14:51:59.918275Z DEBUG cnx_server: hickory_proto::udp::udp_stream: created socket successfully 2024-10-08T14:51:59.918343Z TRACE cnx_server: hickory_proto::udp::udp_client_stream: creating UDP receive buffer with size 512 2024-10-08T14:51:59.918382Z DEBUG cnx_server: hickory_proto::udp::udp_stream: created socket successfully 2024-10-08T14:51:59.918412Z TRACE cnx_server: hickory_proto::udp::udp_client_stream: creating UDP receive buffer with size 512 2024-10-08T14:51:59.951033Z TRACE cnx_server: hickory_proto::rr::record_data: reading A 2024-10-08T14:51:59.951062Z DEBUG cnx_server: hickory_proto::udp::udp_client_stream: received message id: 19252 2024-10-08T14:51:59.951116Z DEBUG cnx_server: hickory_resolver::error: Response:; header 19252:RESPONSE:RD,RA:NoError:QUERY:1/0/0 ; query ;; malisek.org. IN A ; answers 1 malisek.org. 157 IN A 46.39.188.4 ; nameservers 0 ; additionals 0

2024-10-08T14:51:59.951146Z DEBUG cnx_server: hickory_resolver::error: Response:; header 19252:RESPONSE:RD,RA:NoError:QUERY:1/0/0 ; query ;; malisek.org. IN A ; answers 1 malisek.org. 157 IN A 46.39.188.4 ; nameservers 0 ; additionals 0

2024-10-08T14:51:59.951184Z TRACE cnx_server: hickory_proto::rr::record_data: reading SOA 2024-10-08T14:51:59.951195Z DEBUG cnx_server: hickory_proto::udp::udp_client_stream: received message id: 2472 2024-10-08T14:51:59.951219Z DEBUG cnx_server: hickory_resolver::error: Response:; header 2472:RESPONSE:RD,RA:NoError:QUERY:0/1/0 ; query ;; malisek.org. IN AAAA ; answers 0 ; nameservers 1 malisek.org. 334 IN SOA ns3.epik.com. support.epik.com. 2022061401 10800 3600 604800 3600 ; additionals 0

2024-10-08T14:51:59.951251Z DEBUG cnx_server: hickory_resolver::lookup_ip: one of ipv4 or ipv6 lookup failed in ipv4_and_ipv6 strategy: no record found for Query { name: Name("malisek.org."), query_type: AAAA, query_class: IN } 2024-10-08T14:51:59.951314Z DEBUG wstunnel::protocols::tcp::server: Connecting to 46.39.188.4:443 2024-10-08T14:51:59.963488Z DEBUG cnx_server: wstunnel::protocols::tcp::server: Connected to tcp endpoint 46.39.188.4:443, aborted all other connection attempts 2024-10-08T14:51:59.963530Z INFO cnx_server: wstunnel::protocols::tls::server: Doing TLS handshake using SNI DnsName("malisek.org") with the server malisek.org:443 2024-10-08T14:51:59.963573Z DEBUG cnx_server: rustls::client::hs: No cached session for DnsName("malisek.org") 2024-10-08T14:51:59.963707Z DEBUG cnx_server: rustls::client::hs: Not resuming any session 2024-10-08T14:51:59.963746Z TRACE cnx_server: rustls::client::hs: Sending ClientHello Message { version: TLSv1_0, payload: Handshake { parsed: HandshakeMessagePayload { typ: ClientHello, payload: ClientHello( ClientHelloPayload { client_version: TLSv1_2, random: 19fcae28a76c34f63c3a8a01be83614dd51f1fbdbe03c26492090a728b8ccc9a, session_id: b4e96546bf3e34330b17a9911c1c5dd9eac6ad14466300d3d7c163c429afc720, cipher_suites: [ TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, ], compression_methods: [ Null, ], extensions: [ Protocols( [ ProtocolName( 687474702f312e31, ), ], ), SignatureAlgorithms( [ RSA_PKCS1_SHA1, ECDSA_SHA1_Legacy, RSA_PKCS1_SHA256, ECDSA_NISTP256_SHA256, RSA_PKCS1_SHA384, ECDSA_NISTP384_SHA384, RSA_PKCS1_SHA512, ECDSA_NISTP521_SHA512, RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, ED25519, ED448, ], ), PresharedKeyModes( [ PSK_DHE_KE, ], ), SessionTicket( Request, ), EcPointFormats( [ Uncompressed, ], ), CertificateStatusRequest( Ocsp( OcspCertificateStatusRequest { responder_ids: [], extensions: , }, ), ), KeyShare( [ KeyShareEntry { group: X25519, payload: 5f0ca203373cd564f430981a8b4d5aba9577ee0113f5473bd7cc0137d2937e77, }, ], ), SupportedVersions( [ TLSv1_3, TLSv1_2, ], ), NamedGroups( [ X25519, secp256r1, secp384r1, ], ), ServerName( [ ServerName { typ: HostName, payload: HostName( DnsName( "malisek.org", ), ), }, ], ), ExtendedMasterSecretRequest, ], }, ), }, encoded: 010000fc030319fcae28a76c34f63c3a8a01be83614dd51f1fbdbe03c26492090a728b8ccc9a20b4e96546bf3e34330b17a9911c1c5dd9eac6ad14466300d3d7c163c429afc7200014130213011303c02cc02bcca9c030c02fcca800ff0100009f0010000b000908687474702f312e31000d001c001a0201020304010403050105030601060308040805080608070808002d0002010100230000000b00020100000500050100000000003300260024001d00205f0ca203373cd564f430981a8b4d5aba9577ee0113f5473bd7cc0137d2937e77002b00050403040303000a00080006001d0017001800000010000e00000b6d616c6973656b2e6f726700170000, }, } 2024-10-08T14:51:59.989040Z TRACE cnx_server: rustls::client::hs: We got ServerHello ServerHelloPayload { legacy_version: TLSv1_2, random: 6b64c1d5314e659da0496aa8b581655fa0dd3cb3ec1db8f96d2cb7adf928e3b6, session_id: b4e96546bf3e34330b17a9911c1c5dd9eac6ad14466300d3d7c163c429afc720, cipher_suite: TLS13_AES_256_GCM_SHA384, compression_method: Null, extensions: [ SupportedVersions( TLSv1_3, ), KeyShare( KeyShareEntry { group: X25519, payload: 4e5b914ecd79ff9d3592ffad96643aaf6e904f81f8ed08b86b740f9bf64ddc49, }, ), ], } 2024-10-08T14:51:59.989139Z DEBUG cnx_server: rustls::client::hs: Using ciphersuite TLS13_AES_256_GCM_SHA384 2024-10-08T14:51:59.989161Z DEBUG cnx_server: rustls::client::tls13: Not resuming 2024-10-08T14:51:59.989172Z TRACE cnx_server: rustls::client::client_conn: EarlyData rejected 2024-10-08T14:51:59.989327Z TRACE cnx_server: rustls::conn: Dropping CCS 2024-10-08T14:51:59.989343Z DEBUG cnx_server: rustls::client::tls13: TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(687474702f312e31)])] 2024-10-08T14:51:59.989358Z DEBUG cnx_server: rustls::client::hs: ALPN protocol is Some(b"http/1.1") 2024-10-08T14:51:59.989399Z TRACE cnx_server: rustls::client::tls13: Server cert is CertificateChain([CertificateDer(0x30820657308205dea00302010202120444d195fc43ceacfbd92cb757e1df623ab4300a06082a8648ce3d0403033032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313024535301e170d3234313030313030343135375a170d3234313233303030343135365a3019311730150603550403130e6d656c6c6f776368616e2e78797a3059301306072a8648ce3d020106082a8648ce3d03010703420004716706c8e991eed9dd8a7867e83254573831aaffdea8700c8b1fe11e9ab2edde410f23f7a5871840d6bd93b8bc1633f5b07284a547de3344a0afecb5223c5899a38204eb308204e7300e0603551d0f0101ff040403020780301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000301d0603551d0e04160414291ccdd27331903ed6bce57c368cfcef162e3302301f0603551d230418301680149f2b5fcf3c214f9d04b7ed2b2cc4c6708bd2d70d305506082b0601050507010104493047302106082b060105050730018615687474703a2f2f65352e6f2e6c656e63722e6f7267302206082b060105050730028616687474703a2f2f65352e692e6c656e63722e6f72672f308202f30603551d11048202ea308202e682156170702e617564696f61636164656d7965752e65758216617070622e617564696f61636164656d7965752e6575821163792e6d656c6c6f776368616e2e78797a820f6465762e6d616c6973656b2e6f726782126465762e6d656c6c6f776368616e2e78797a820d662e6d616c6973656b2e6f72678210662e6d656c6c6f776368616e2e78797a821066696c652e6d616c6973656b2e6f7267821366696c652e6d656c6c6f776368616e2e78797a820f6769742e6d616c6973656b2e6f726782126769742e6d656c6c6f776368616e2e78797a8210696d61702e6d616c6973656b2e6f72678213696d61702e6d656c6c6f776368616e2e78797a82126972632e6d656c6c6f776368616e2e78797a820e69762e6d616c6973656b2e6f7267821169762e6d656c6c6f776368616e2e78797a82106d61696c2e6d616c6973656b2e6f726782136d61696c2e6d656c6c6f776368616e2e78797a820b6d616c6973656b2e6f7267820e6d656c6c6f776368616e2e78797a820f6d75632e6d616c6973656b2e6f726782126d75632e6d656c6c6f776368616e2e78797a820e6e632e6d616c6973656b2e6f726782116e632e6d656c6c6f776368616e2e78797a821170726f78792e6d616c6973656b2e6f7267821470726f78792e6d656c6c6f776368616e2e78797a8210736d74702e6d616c6973656b2e6f72678213736d74702e6d656c6c6f776368616e2e78797a820e73702e6d616c6973656b2e6f7267821173702e6d656c6c6f776368616e2e78797a820f7372782e6d616c6973656b2e6f726782127372782e6d656c6c6f776368616e2e78797a821273747265616d2e6d616c6973656b2e6f7267821573747265616d2e6d656c6c6f776368616e2e78797a821375706c6f6164732e6d616c6973656b2e6f7267821675706c6f6164732e6d656c6c6f776368616e2e78797a820f7777772e6d616c6973656b2e6f72678210786d70702e6d616c6973656b2e6f72678213786d70702e6d656c6c6f776368616e2e78797a30130603551d20040c300a3008060667810c01020130820103060a2b06010401d6790204020481f40481f100ef0075001998107109f0d6522e3080d29e3f64bb836e28ccf90f528eeedfce4a3f16b4ca0000019245bc6511000004030046304402205086c8d291e0829de52f2e03e2546dbe18469a2e84b84f61f81d142667a47b0302204775c8bdcd6c992cca8b52c33e85a4a097ef612f41e063e58b7b06080b156428007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000019245bc652a000004030047304502206e3f86107a2333aa4155a7e711559e198ec37fd5ddcd14554cf3141c4e131ec10221008ad9582de20dc35119fe661fbcc0db88d858ceea3e7d4a20a6cdceec94f1fc90300a06082a8648ce3d0403030367003064023013a16c0c19886ecaa05bec0a22122385a57068556a595a9117bb544ba8b639ca34df9ab586758e80f06b08177caa537202307729b90e8013bd9fe418cc1dc5584304ca501921cc471eb2882f3c69eb4ade472ee7a52a3adc42797fbfb616aae12fdf), CertificateDer(0x308204573082023fa003020102021100838f6c63ceb1398c6206628315c9fdde300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3234303331333030303030305a170d3237303331323233353935395a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245353076301006072a8648ce3d020106052b81040022036200040d0b3a8a6b618eb6efdc5f58e7c6424554ab63f66661480a2e5975b481023750b73f1679dc98eca1289772201c2ccfd57c52204e54785b84146bc090ae85ecc051413c5a877f064dd4fe60d1fa6c2de17d951088a208540f991a4ce6ea0aacd8a381f83081f5300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604149f2b5fcf3c214f9d04b7ed2b2cc4c6708bd2d70d301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30130603551d20040c300a3008060667810c01020130270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f300d06092a864886f70d01010b050003820201001f729d34454241daa4d0b2b2b8d2264ca751258d42daec364896a3ba1aa4c863d8f02fb3cecb9f67e9a09e19ead40d8a550392ca43849d46f1d5ccbadfbac1022871f7bafe6dcc1b64ceac4c321a12b891fcf2e4e8b2acf417b4ba857180e2837291bdb2f0f7dc9f86f4b71fbf52bd96e0e6493806e9734520de6f7c8e60b3f94c3f2a2310c748ccaf5b95c976ff5bcac4ef16182723bec4359c9fcfc2df0b41905f385c955cff2e6c0a7f6aeddd73810a586f4c3b9cdcc75a93f7e3574467555b11af98115101a8dc88c7d7304d59b869a4dff18e92800ced992366695eca890fd4b1b399f25c51df6cede7aed7ff7f7a0e5795777fe791ad62300cf82e031b98bb79a36a726d85fb2c5820fb7a71b6ed6153490867c75aa1c44381584ad532167bfcb23caa53cca981968d27d69571648808b388135fd0bffee82ac9d909627ddbac14e91a86d4e60f18e8b5cee00184bc3ad5cb8f5434f6f27412fdeeb3f797095ead1e2b505c689e9f259b266e34600f9a779af11fe6f75033b30212f534b476ecc762399871c9a000476fc2950605a9fe571719689669e3b207b44ff8e7c3b6f8b63ac6a9c57895eef355b3b7cc96b4636358e829aaa69b272706f02ad780046edc8bb157ce4bae81f1aa647855f6358e173c4615e194827bc5473eb76b111936c082c6dd3fc41a648890261550c4a78e625d5500fd17a35affece65c27)]) 2024-10-08T14:51:59.989767Z DEBUG tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::transport::websocket: with HTTP upgrade request Request { method: GET, uri: /ZZZZZZZZZZZZZZZ/events, version: HTTP/1.1, headers: {"host": "malisek.org", "upgrade": "websocket", "connection": "upgrade", "sec-websocket-key": "gnFlmHSoP/ZO2gnrNHxwyQ==", "sec-websocket-version": "13", "sec-websocket-protocol": "v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOTI2YzlkLTk2MmQtNzUwMi1iNmNhLTJlN2MyMjhlNGFkYSIsInAiOnsiVWRwIjp7InRpbWVvdXQiOm51bGx9fSwiciI6IjEyNy4wLjAuMSIsInJwIjo1MTgyMH0.TTHP3dEiwipeYkR6a2b9uwfTRURtroAbM0ri4wUume0"}, body: Empty } 2024-10-08T14:52:00.003690Z DEBUG tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::client::client: Server response: Parts { status: 101, version: HTTP/1.1, headers: {"server": "nginx", "date": "Tue, 08 Oct 2024 14:52:00 GMT", "connection": "upgrade", "upgrade": "websocket", "sec-websocket-accept": "/IIo7EwH9REAfegmrszzFI3/DyU=", "sec-websocket-protocol": "v1"} } 2024-10-08T14:52:00.004792Z ERROR tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::transport::io: error while reading from tunnel rx Unexpected EOF 2024-10-08T14:52:00.004819Z INFO tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::transport::io: Closing local <= remote tunnel 2024-10-08T14:52:00.004881Z INFO tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::transport::io: Closing local => remote tunnel

 - server
 wstunnel:

wstunnel server --restrict-to 127.0.0.1:51820 ws://0.0.0.0:33344

log:

Oct 08 16:50:39 base1 wstunnel[1780]: 2024-10-08T14:50:39.541135Z INFO cnx{peer="127.0.0.1:43410"}:tunnel{id="01926c9c-5c08-7680-9c6a-41802644f781" remote="127.0.0.1:51820"}: wstunnel::protocols::udp::server: Opening UDP connection to 127.0.0.1:51820 Oct 08 16:50:39 base1 wstunnel[1780]: 2024-10-08T14:50:39.541242Z INFO cnx{peer="127.0.0.1:43410"}:tunnel{id="01926c9c-5c08-7680-9c6a-41802644f781" remote="127.0.0.1:51820"}: wstunnel::tunnel::server::server: connected to Udp { timeout: None } 127.0.0.1:51820 Oct 08 16:50:44 base1 wstunnel[1780]: 2024-10-08T14:50:44.708367Z INFO cnx{peer="127.0.0.1:57510"}: wstunnel::tunnel::server::server: Accepting connection Oct 08 16:50:44 base1 wstunnel[1780]: 2024-10-08T14:50:44.708657Z INFO cnx{peer="127.0.0.1:57510"}:tunnel{id="01926c9c-702d-70a3-b557-5c301176592d" remote="127.0.0.1:51820"}: wstunnel::tunnel::server::server: Tunnel accepted due to matched restriction: Allow All Oct 08 16:50:44 base1 wstunnel[1780]: 2024-10-08T14:50:44.708697Z INFO cnx{peer="127.0.0.1:57510"}:tunnel{id="01926c9c-702d-70a3-b557-5c301176592d" remote="127.0.0.1:51820"}: wstunnel::protocols::udp::server: Opening UDP connection to 127.0.0.1:51820 Oct 08 16:50:44 base1 wstunnel[1780]: 2024-10-08T14:50:44.708808Z INFO cnx{peer="127.0.0.1:57510"}:tunnel{id="01926c9c-702d-70a3-b557-5c301176592d" remote="127.0.0.1:51820"}: wstunnel::tunnel::server::server: connected to Udp { timeout: None } 127.0.0.1:51820 Oct 08 16:51:59 base1 wstunnel[1780]: 2024-10-08T14:51:59.999724Z INFO cnx{peer="127.0.0.1:55284"}: wstunnel::tunnel::server::server: Accepting connection Oct 08 16:52:00 base1 wstunnel[1780]: 2024-10-08T14:51:59.999981Z INFO cnx{peer="127.0.0.1:55284"}:tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::server::server: Tunnel accepted due to matched restriction: Allow All Oct 08 16:52:00 base1 wstunnel[1780]: 2024-10-08T14:52:00.000021Z INFO cnx{peer="127.0.0.1:55284"}:tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::protocols::udp::server: Opening UDP connection to 127.0.0.1:51820 Oct 08 16:52:00 base1 wstunnel[1780]: 2024-10-08T14:52:00.000134Z INFO cnx{peer="127.0.0.1:55284"}:tunnel{id="01926c9d-962d-7502-b6ca-2e7c228e4ada" remote="127.0.0.1:51820"}: wstunnel::tunnel::server::server: connected to Udp { timeout: None } 127.0.0.1:51820

nginx.conf (relevant part) (version 1.26.2)

          # wstunnel path
          location /ZZZZZZZZZZZZZZZ/ {
                  proxy_pass http://127.0.0.1:33344;
                  proxy_http_version  1.1;
                  proxy_set_header    Upgrade $http_upgrade;
                  proxy_set_header    Connection "upgrade";
                  proxy_set_header    Host $host;
                  proxy_set_header    X-Real-IP $remote_addr;

                  proxy_connect_timeout       10m;
                  proxy_send_timeout          10m;
                  proxy_read_timeout          90m;
                  send_timeout                10m;
          }

## Desktop (please complete the following information):
 - OS: NixOS 
 - Version: 24.11.20241006.c31898a (Vicuna) x86_64

**Additional context**
Server and Client have exactly same versions.

[erebe]

Hello,

Do you have updated also the wstunnel server ? I don't see any issues with my wireguard, everything is running fine.

If you can provide also :

• nginx logs during the tunnel
• a network capture with wstunnel client started with

export SSLKEYLOGFILE=/tmp/wstunnel.keyfile
export TOKIO_WORKERS=1
wstunnel client xxxx

and in other terminal

tcpdump -w capture.pcap -i your_interface dst 192.168.6.1 #replace by your server ip

and your can post the capture.pcap and also the wstunnel.keyfile files

[erebe]

Hi back,

I managed to reproduce the issue and it should be fixed in latest release https://github.com/erebe/wstunnel/releases/tag/v10.1.4

Let me know if it is ok

[Mellowchan]

Hi back,

I managed to reproduce the issue and it should be fixed in latest release https://github.com/erebe/wstunnel/releases/tag/v10.1.4

Let me know if it is ok

Thank you, I've tested v10.1.4 (both on client and server) and the problem is resolved.