Forward Wireguard traffic to SOCKS server

[RoganDawes]

Hi,

I was wondering how hard it would be to support the inverse mode of operation, where traffic received via the Wireguard interface would automatically be forwarded via a SOCKS server?

i.e TCP SYN received via wg triggers a dial via a configured SOCKS server.

In theory, this could be extended for UDP, although most SOCKS servers do not include UDP support.

[pufferffish]

Hello,

Just to be sure, do you mean something like hosting a SOCKS5 server on wireguard's network, and the outbound traffic of the SOCKS5 proxy would be outside wireguard?

This would require some slight patching to or changing the socks5 library which I am currently using. In fact while testing suggestions in #15 I think I've accidentally implemented something like what you are describing. I'll look into it and try to implement it.

[RoganDawes]

Perhaps explaining the use case will clarify.

As a security person, quite often we can achieve a socks tunnel into a target network, whether via reGeorg or PivotNacci, or even ssh. Once that is done, sometimes we want to use a Windows-based tool to interact with eg the target domain, but actually coercing the tool to use the socks proxy can be quite difficult in some cases.

As an alternative, one could route the windows traffic over a vpn, such as wireguard, then use Linux transparent proxying and redsocks on the vpn endpoint to achieve the same end result. This has been prototyped using a docker container, but even then, it's more complicated and heavyweight than strictly necessary.

The proposed alternative would be to integrate the wireguard endpoint and the socks client into one app, such that any traffic reaching the wireguard endpoint, and destined for a non-local target would be routed via the socks client, to a specified socks server.

[pufferffish]

Okay I think what I understand what you mean. So basically what you are asking for is a program that would expose itself as a wireguard peer, and any traffic it received would be forwarded via a specified socks5 server?

I think implementing such a thing wouldn't be hard. I can give it a try.

[RoganDawes]

Yes, exactly that. Happy to test for you when needed.

[pufferffish]

So here is an status update: this is going to be harder than I had originally thought. gvisor's netstack is too abstracted for me to accomplish listening TCP traffic on all addresses easily. There is hope though: this library seems to allow me to implement your suggestion with ease.

From how things are looking right now, I will probably implement your suggestion in a separate project, since I doubt the final code will share anything with wireproxy's code (besides config parsing).

Edit: this project seems to mostly accomplish what you want, except the wireguard part. I will investigate into this project and see if I can adapt some of it into wireproxy.

[RoganDawes]

Tun2socks looks like it should do all I actually need, thanks for finding it! I'll test that out, and let you know how it goes.

[vivek030]

Hi Rogan, Kindly let us know if Tun2socks works and steps to follow.

Thanks

[RoganDawes]

Did not end up trying it. HTTPS://GitHub.com/Sensepost/wiresocks did what I wanted it to do.

[uuonda]

@pufferffish Does wireproxy support "reverse" SOCKS proxy and/or remote port forwarding?

For example a wireguard "client", peer 10.8.1.2, connects to the wireguard "server", peer 10.8.1.1. After that "server" can use 10.8.1.2:1080 as a SOCKS proxy to access whatever is reachable through 10.8.1.2.