search

wangyu- / udp2raw

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)
MIT License
7.14k stars 1.16k forks source link

[feature request] One udp2raw client forwards wireguard packets to multiple udp2raw servers with automatically parsing wireguard UDP packet target ip #212

Open diyism opened 5 years ago

diyism commented 5 years ago

Now i'm using wireguard over udp2raw (https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L155), it's very stable, but the combination will lost the automatic p2p or automatic NAT traverse feature of Wireguard.

===========================

Currently i must manually start two udp2raw tunnel: udp2raw_amd64 -c -l127.0.0.1:20001 -r --source-ip 192.168.0.3 -a udp2raw_amd64 -c -l127.0.0.1:20002 -r --source-ip 192.168.0.3 -a

ping 10.0.0.1->wireguard node(127.0.0.1:40001, setconf Peer 10.0.0.1 Endpoint 127.0.0.1:20001)->udp packet with target ip 127.0.0.1->udp2raw client(127.0.0.1:20001) on my PC->raw tcp traffic->udp2raw server on my VPS1->udp traffic->wireguard on vps1->vps1

ping 10.0.0.2->wireguard node(127.0.0.1:40001, setconf Peer 10.0.0.2 Endpoint 127.0.0.1:20002)->udp packet with target ip 127.0.0.1->udp2raw client(127.0.0.1:20002) on my PC->raw tcp traffic->udp2raw server on my VPS2->udp traffic->wireguard on vps2->vps2

============================

I want: Only one udp2raw client is must, and need not set remote ip-port: udp2raw_amd64 -c -l192.168.0.3:20001 --source-ip 192.168.0.3 --source-port 20001 -a

ping 10.0.0.1->wireguard node(127.0.0.1:40001, setconf Peer 10.0.0.1 Endpoint vps1 ip:port)->iptables -A OUTPUT -p udp --sport 40001 -j REDIRECT --to-port 20001->udp packet with target ip vps1 ip->udp2raw client(127.0.0.1:20001) on my PC->raw tcp traffic->udp2raw server on my VPS1->udp traffic->wireguard on vps1->vps1

ping 10.0.0.2->wireguard node(127.0.0.1:40001, setconf Peer 10.0.0.2 Endpoint vps2 ip:port)->iptables -A OUTPUT -p udp --sport 40001 -j REDIRECT --to-port 20001->udp packet with target ip vps2 ip->udp2raw client(127.0.0.1:20001) on my PC->raw tcp traffic->udp2raw server on my VPS2->udp traffic->wireguard on vps2->vps2

And udp2raw server should listen on the same port with udp2raw client: udp2raw_amd64 -s -l 192.168.0.3:20001 -r 127.0.0.1:40001 -a

diyism commented 5 years ago

I think that keeping p2p feature of wireguard in wireguard+udp2raw is more complex than Wireguard itself supports Fake TCP/Raw TCP packets

butterl commented 5 years ago

@diyism any update about your wireguard+udp2raw work? I find someone's setting for server side

server configure like this seems recieving udp2raw packet from 2999 and redir to speederv2 port 8888, then forward to wiregurd server port 443

speederv2 -s -l127.0.0.1:8888  -r127.0.0.1:443  -f20:10 -k password --mode 0  >> /var/log/speederv2.log &
udp2raw   -s -l0.0.0.0:2999  -r 127.0.0.1:8888  -k password --raw-mode faketcp  >> /var/log/wg_udp2raw.log &

But I didn't get his client config ,seems we could use something like

  1. configure the wireguard server as 127.0.0.1:8888 (Endpoint = 127.0.0.1:8888) to speederv2
  2. then route speederv2 data to udp2raw which connect to serverip:2999
speederv2 -c -l127.0.0.1:2999 -r127.0.0.1:8888  -k password  >> /var/log/speederv2.log &
udp2raw -c -l127.0.0.1:8888  -rserverip:2999 -k password --raw-mode faketcp --cipher-mode xor -a  >> /var/log/wg_udp2raw.log &

wg0.conf
Endpoint = 127.0.0.1:2999

the route table for wg will let all packet route to wireguard server( 127.0.0.1:2999)

I'm not sure if this could work will ,but maybe a way to approch

diyism commented 5 years ago

I have used wireguard+udp2raw for 3 month, it's very stable, need no speederv2: https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L156

butterl commented 5 years ago

@diyism Thanks for sharing your config

I tried with your udp2raw config way : wireguard set endpoint to the udp2raw listerning port , and udp2raw connecting to remote udp2raw listerning port

Server side:
udp2raw -s -l0.0.0.0:8888 -r127.0.0.1:443 -k "passwd" --raw-mode faketcp -a

Client side:
udp2raw -c -rserverip:8888 -l0.0.0.0:8887 --raw-mode faketcp -a -k"passwd"

and could got server and client ready

[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received syn,sent syn ack back
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]got packet from a new ip
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]created new conn,state: server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received handshake oppsite_id:5c78d937  my_id:d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]oppsite const_id:e5b9e7db 
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_ready

but when I wg-quick up wg0 it just failed with connection and ping 10.0.0.1 loss 100% packets wg0 configure is as below

[Interface]
PrivateKey = <client privatekey>
Address = 10.0.0.3/24
DNS = 8.8.8.8
MTU = 1300
[Peer]
PublicKey = <server pubkey>
Endpoint = 127.0.0.1:8887
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

server wg0 config

[Interface]
Address = 10.0.0.1/24
MTU = 1420
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 443
PrivateKey = <server private key>

[Peer]
PublicKey = <client pubkey>
AllowedIPs = 10.0.0.3/32
diyism commented 5 years ago

I paste all my configs that i'm using now:

client A:
./udp2raw_amd64 -c -l127.0.0.2:21409 -r<server ip>:21409 --source-ip <lan ip> -a -k "udp2raw passwd"

/etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <client A private key>
Address = 10.0.0.3/32
ListenPort = 21406
MTU=1300
PostUp = ip route add 10.0.0.0/24 dev wg0
PostDown = ip route del 10.0.0.0/24

[Peer]
#10.0.0.1 server
PublicKey = <server public key>
Endpoint = 127.0.0.2:21409
AllowedIPs = 0.0.0.0/0

Server:
./udp2raw_amd64 -s -l 0.0.0.0:21409 -r 127.0.0.1:21405 -a -k "udp2raw passwd"

/etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <server private key>
ListenPort = 21405
SaveConfig = false
Address = 10.0.0.1/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <cilent A public key>
AllowedIPs = 10.0.0.3/32

Did I miss something important in my gist? https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L156

If you success, show me your configs.

butterl commented 5 years ago

@diyism I tried all the config and finnally I find a luci config and add this rule before wg up wg0 (or in pre up)

ip route add $server via $(ip route | awk '$1=="default" {print $3}')

the main diffent seems that I do not add a --source-ip <lan ip> in the client side

just tried add --source-ip <lan ip> but dosen‘t work

diyism commented 5 years ago

I know the problem, "AllowedIPs = 0.0.0.0/0" shoud exclude the udp2raw server ip, do you know how?

I commented "AllowedIPs = 0.0.0.0/0" in the gist, and add every foreigner IP into ip route through dns2https.php, so it's working on my side, but if i uncommentd it, the udp2raw traffic will be blocked.

butterl commented 5 years ago

allow ips is using for filter the connection in/out whitelist from my understanding ,so it's may hard to use this, I now using PostUp/PostDown to approach, also this would be good to add a gfw list script for PostUp/PostDown for speedup in client side

PostUp = ip route add server_ip via net_address_out
PostDown = ip route del server_ip

also in your client config ,these seems automatically done by wg it self

PostUp = ip route add 10.0.0.0/24 dev wg0
PostDown = ip route del 10.0.0.0/24