search

rapiz1 / rathole

A lightweight and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
Apache License 2.0
8.82k stars 441 forks source link

Wireguard support #261

Closed AlexZorzi closed 1 year ago

AlexZorzi commented 1 year ago

Describe the bug Im not able to setup a connection with wireguard through rathole.

To Reproduce Steps to reproduce the behavior:

  1. setup wireguard (weejewel/wg-easy) on the server and rathole
  2. create a configuration file for a wireguard peer and try to connect

Configuration

version: '3.3'
services:
    rathole:
        restart: unless-stopped
        ports:
            - '80:80'
            - '443:443'
            - '2333:2333'
            - '51820:51820'
        volumes:
            - '/root/config.toml:/app/config.toml'
        image: rapiz1/rathole
        entrypoint: "./rathole --server /app/config.toml"

# server.toml
[server]
bind_addr = "0.0.0.0:2333" 

[server.services.wireguard]
token = "**********************"
bind_addr = "0.0.0.0:51820"
[client]
remote_addr = "******:2333"
default_token = "**********************" 
heartbeat_timeout = 40
retry_interval = 1

[client.services.wireguard]
type = "udp"
local_addr = "******:51820"
nodelay = true
retry_interval = 1

Logs Wireguard app gets stuck at the handshake init

Environment:

fernvenue commented 1 year ago

Can't reproduce, my WireGuard works great with rathole, is your WireGuard works without rathole? By the way, in your server configuration:

[server.services.wireguard]
token = "**********************"
bind_addr = "0.0.0.0:51820"

You may need to define type as udp.

AlexZorzi commented 1 year ago

Can't reproduce, my WireGuard works great with rathole, is your WireGuard works without rathole? By the way, in your server configuration:

[server.services.wireguard]
token = "**********************"
bind_addr = "0.0.0.0:51820"

You may need to define type as udp.

Can you share your configuration? My setup is a bit weird as my server (rathole client) only has a static IPv6 and a natted Ipv4 so wireguard should go through a vps (rathole server). I thought the type on the client config would have been enough but I will try to add it to the server config as well

fernvenue commented 1 year ago

Can you share your configuration?

Sure, here's my configuration for WireGuard:

[server.services.wireguard]
type = "udp"
bind_addr = "0.0.0.0:9573"

[client.services.wireguard]
type = "udp"
local_addr = "127.0.0.1:9573"

By the way, as I said above, make sure your WireGuard works well without rathole, that's the first thing, so that we can know which part goes wrong.

AlexZorzi commented 1 year ago

Added the udp part on the server as well but with no luck in connecting, i use other ports like 443 and 80 without issues

By the way, as I said above, make sure your WireGuard works well without rathole, that's the first thing, so that we can know which part goes wrong.

i tried and it works locally, i only have issues when trying to go through rathole. is there a way to see the connections that go through rathole on both server and client?

AlexZorzi commented 1 year ago

@fernvenue i ran both the client and server in debug mode and i can see both incoming http and https connections on the server but no signs of the udp wireguard one

fernvenue commented 1 year ago

Could you please provide your log info?

AlexZorzi commented 1 year ago

Could you please provide your log info? yep


rathole-rathole-1  | 2023-06-05T16:57:39.381250Z DEBUG connection{addr=----------:7776}: rathole::server: Try to handshake a data channel
rathole-rathole-1  | 2023-06-05T17:00:24.548088Z DEBUG connection{addr=----------:7658}:handle{service=https}:run_tcp_connection_pool: rathole::server: New visitor from ----------


i get this output when i do a https request but no log when i try to connect with wireguard
fernvenue commented 1 year ago

It should be something there in log even if the service not connected, what exactly configuration file do you use?

AlexZorzi commented 1 year ago

It should be something there in log even if the service not connected, what exactly configuration file do you use?

this is my full server configuration

# server.toml
[server]
bind_addr = "0.0.0.0:2333"

[server.services.ssh]
token = "secretkey"
bind_addr = "0.0.0.0:2222"

[server.services.http]
token = "secretkey"
bind_addr = "0.0.0.0:80"

[server.services.wireguard]
type = "udp"
token = "secretkey"
bind_addr = "0.0.0.0:666"

[server.services.https]
token = "secretkey"
bind_addr = "0.0.0.0:443"

docker-compose.yml

version: '3.3'
services:
    rathole:
        environment:
            - RUST_LOG=debug
        restart: unless-stopped
        ports:
            - '80:80'
            - '443:443'
            - '2333:2333'
            - '2222:2222'
            - '666:666'
        volumes:
            - './config.toml:/app/config.toml'
        image: rapiz1/rathole
        entrypoint: "./rathole --server /app/config.toml"
fernvenue commented 1 year ago

You may need to tell your docker to use udp for 666 port.

AlexZorzi commented 1 year ago

You may need to tell your docker to use udp for 666 port.

tried with - '666:666/udp' but still nothing shows up

i tried to communicate with the server through udp with nc and indeed the udp connection works outside of rathole like shown here https://serverfault.com/a/733921

AlexZorzi commented 1 year ago

im also able to communicate with a docker container with udp using this command docker run -p "1234:1234/udp" -it --rm alpine /bin/sh -c "nc -ul -p 1234" but nothing shows up on rathole

AlexZorzi commented 1 year ago

@fernvenue what wireguard setup did you follow? i enabled trace instead of debug and now the udp packet seems to be showing going through to the client TRACE handle{service=wireguard}:run:run_data_channel_for_udp{local_addr="192.168.1.116:51820"}: rathole::protocol: hdr UdpHeader { from: ****************:6468, len: 148 } if this is how an udp delivered packet should look like the issue might be with my wireguard setup

fernvenue commented 1 year ago

I thought you confirmed here that your WireGuard works fine locally. How do you setup your WireGuard?

AlexZorzi commented 1 year ago

I thought you confirmed here that your WireGuard works fine locally. How do you setup your WireGuard?

I does work locally but for some reason it can't see the packets that rathole sends, is it normal that rathole logs wireguard only at the trace level?

fernvenue commented 1 year ago

Here's my WireGuard service in rathole client log:

INFO handle{service=wireguard}: rathole::client: Starting 1xxxxxxxxxxxxxxxxxxxx2
INFO handle{service=wireguard}:run: rathole::client: Control channel established

Server side:

INFO connection{addr=x.x.x.x:1xxx2}: rathole::server: Control channel established service=wireguard
INFO connection{addr=x.x.x.x:1xxx2}:handle{service=wireguard}:run_udp_connection_pool: rathole::server: Listening at x.x.x.x:1xxx2

So I'm not quite sure which part going wrong on your devices, but WireGuard is definitely works with rathole.

AlexZorzi commented 1 year ago

Il close the issue since is probably related to me only, @fernvenue thanks for the help!

aazam476 commented 12 months ago

I'm having this issue as well on WG-Easy, did you manage to find anyway to fix it?

AlexZorzi commented 12 months ago

I'm having this issue as well on WG-Easy, did you manage to find anyway to fix it?

Nope, I gave up on it and settled on using tailscale

aazam476 commented 12 months ago

I managed to fix the issue by creating a new docker network and adding the rathole and wg-easy containers to it and referring to the wg-easy container in rathole's config file using its service name.

AlexZorzi commented 12 months ago

I managed to fix the issue by creating a new docker network and adding the rathole and wg-easy containers to it and referring to the wg-easy container in rathole's config file using its service name.

Wow, thanks this worked!