UDP (OpenVPN + Wireguard)

[prismplex]

Hi community, this project is really great. I have been using it for about 5 years with pleasure. With the recently added UPD feature I would like to implement OpenVPN UDP and Wireguard, but I am struggling to get it to work.

I am using sslh-select with the following configuration file: *some-port, tcp-port, udp-port are the corresponding service ports I can connect to directly without problems. With sslhI get Waiting for server responsein the case of OpenVPN. Wireguard does not receive a response.

timeout: 5;
transparent: true;

listen:
(
    { host: "hostname"; port: "443"; },
    { host: "hostname"; is_udp: true; port: "443"; }
);

protocols:
(
# Forward TCP
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "some-port"; keepalive: true; fork: true; tfo_ok: true },
     { name: "openvpn"; host: "localhost"; port: "tcp-port"; tfo_ok: true },
     { name: "xmpp"; host: "localhost"; port: "some-port"; tfo_ok: true },
     #{ name: "http"; host: "localhost"; port: "80"; tfo_ok: true },
     { name: "tls"; host: "localhost"; port: "4443"; tfo_ok: true },
     #{ name: "anyprot"; host: "localhost"; port: "443"; tfo_ok: true },

# Forward UDP
     { name: "openvpn"; host: "localhost"; is_udp: true; port: "udp-port" }, #OpenVPN
     { name: "regex"; host: "localhost"; is_udp: true; port: "some-port"; regex_patterns: [ "\x01\x00\x00\x00" ] }, #Wireguard
);

Can somebody help me please?

[utoni]

Does:

{ name: "openvpn"; service: "openvpn"; host: "127.0.0.1"; port: "1194"; keepalive: true; fork: true; tfo_ok: false; }

work for you?

[coolwanglu]

I recent did something similar.

For WireGuard, maybe you need to set AllowedIPs=0.0.0.0/0 in the conf file, since sslh in the transparent mode.

If possible, please also share your config of WireGuard.

[prismplex]

Does:

{ name: "openvpn"; service: "openvpn"; host: "127.0.0.1"; port: "1194"; keepalive: true; fork: true; tfo_ok: false; }

work for you?

Did not have time to investigate it until now. Unfortunately I am not getting any server response. OpenVPN via port 1194 works perfectly in UDP mode, but switching it to port 443 does not generate any connection/response.

TCP via 1195 (same OpenVPN docker container with TCP config) works perfectly via 443.

This is my current sslh config:

timeout: 5;
transparent: true;

# Logging configuration
# Value: 1: stdout; 2: syslog; 3: both
# Defaults are indicated here, and should be sensible. Generally, you want *-error
# to be always enabled, to know if something is going wrong.
verbose-config: 0; #  print configuration at startup
verbose-config-error: 3;  # print configuration errors
verbose-connections: 3; # trace established incoming address to forward address
verbose-connections-error: 3; # connection errors
verbose-connections-try: 0; # connection attempts towards targets
verbose-fd: 0; # file descriptor activity, open/close/whatnot
verbose-packets: 0; # hexdump packets on which probing is done
verbose-probe-info: 0; # what's happening during the probe process
verbose-probe-error: 3; # failures and problems during probing
verbose-system-error: 3; # system call problem, i.e.  malloc, fork, failing
verbose-int-error: 3; # internal errors, the kind that should never happen

listen:
(
    { host: "prismplex-server"; port: "443"; },
    { host: "prismplex-server"; is_udp: true; port: "443"; },
);

protocols:
(
# Forward TCP
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "9292"; keepalive: true; fork: true; tfo_ok: true },
     { name: "openvpn"; host: "localhost"; port: "1195"; tfo_ok: true },
     { name: "xmpp"; host: "localhost"; port: "5222"; tfo_ok: true },
     #{ name: "http"; host: "localhost"; port: "80"; tfo_ok: true },
     { name: "tls"; host: "localhost"; port: "443"; tfo_ok: true },
     #{ name: "anyprot"; host: "localhost"; port: "443"; tfo_ok: true },

# Forward UDP
     { name: "openvpn"; service: "openvpn"; host: "localhost"; port: "1194"; keepalive: true; fork: true; tfo_ok: false },
     { name: "regex"; host: "localhost"; is_udp: true; port: "9191"; regex_patterns: [ "\x01\x00\x00\x00" ] }, #Wireguard

);

[utoni]

Can you upload your OpenVPN config? That may help investigating this issue.

// EDIT: Does it work w/o transparent mode?

[prismplex]

Turning off transparent mode does not make any difference, still getting no route to host. TCP is working fine with same settings just TCP and another port, so that's why I think I have a config problem with UDP somewhere in sslh (iptables rules are both made for UDP and TCP for transparent mode). Both ports 1194 and 1195 are open in my router and server firewall settings, proven by the possibility to connect from outside without problems.

This is my OpenVPN config, working perfectly by direct connection via port 1194.

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/vpn.prismplex.com.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn.prismplex.com.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 192.168.120.1" #local dns
#push "dhcp-option DNS 84.200.69.80"
#push "dhcp-option DNS 84.200.70.40"
push "comp-lzo no"

docker-compose.yml

version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn-udp
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn

[prismplex]

I recent did something similar.

For WireGuard, maybe you need to set AllowedIPs=0.0.0.0/0 in the conf file, since sslh in the transparent mode.

If possible, please also share your config of WireGuard.

Thank you, already did this. And as OpenVPN is also not working I think there is a UDP protocol (config) issue somewhere.

[utoni]

Sorry for my late answer. I've tried your config and a slightly modified default OpenVPN config that uses UDP. Both do not work. sslh-select does not receive any packets. I do not know what is the issue here.

[utoni]

A quick research ended up with two major issues:

• sslh-select does sometimes not work with UDP, sslh-ev does (see #340)
• openvpn UDP probe differs from TCP and needs to get fixed (see #338)

[utoni]

@prismplex PR #338 fixes openvpn udp detection (works fine with sslh-ev)

[AntonOfTheWoods]

Did anyone get this wireguard to work? It would be totally wonderful to have a working example for that!

[utoni]

Working on a WireGuard probe, because I need that as well.

[utoni]

@AntonOfTheWoods

Can you verify if PR #345 works for you? I was not able to test it yet due to time restrictions. =)

[AntonOfTheWoods]

@utoni it has turned into a huge mission trying to first get things compiled on Ubuntu 22.04 and the getting it to start without erroring out. The instructions seem to be old and incomplete, or maybe to just not work for Ubuntu

[prismplex]

@prismplex PR #338 fixes openvpn udp detection (works fine with sslh-ev)

Thank you for working on this. I am using Arch Linux and unfortunately the current package does not provide sslh-ev. I haven't had time to manually install the latest version yet. Wanted to wait for an updated precompiled Arch Linux package.

[utoni]

@prismplex It should now also work with sslh-select since PR #340 fixed the bug that affected you.

[prismplex]

Alright, thank you! Since the Arch Linux packages will only be upgraded after version release I will have to wait for an official release. If I have time I will try to compile the prelease/master by myself

27 Aug 2022 15:21:12 Toni @.***>:

@prismplex[https://github.com/prismplex] It should now also work with sslh-select since PR #340[https://github.com/yrutschle/sslh/pull/340] fixed the bug that affected you.

— Reply to this email directly, view it on GitHub[https://github.com/yrutschle/sslh/issues/316#issuecomment-1229191913], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AJKRDTR6RP7GYX7VK3IX2MTV3II4JANCNFSM5LNJO2RA]. You are receiving this because you were mentioned.[Tracking image][https://github.com/notifications/beacon/AJKRDTQRNL6BMFXTHVRPBKDV3II4JA5CNFSM5LNJO2RKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJFB7V2I.gif]

[iamdoubz]

I also want to add that in your .cfg file in your "UDP" section, you also need to include is_udp: true;.

[HolyMacarony]

Hello :) did anyone get this running by now ? ubuntu 22.04 also does only provide sslh and sslh-select and cannot get OpenVPN running in UDP mode. Would love to use Wireguard as well.

[AntonOfTheWoods]

@HolyMacarony it seems to work ok but there were definitely some edge cases that crash still, particularly with bad config. I actually didn't end up being able to use it because they closed UDP on me...

[thanosz]

Hello, it seems ~that it is still not working. Is there any update?~ to be working with sslh > 2.0

[iamdoubz]

This is totally off topic, but similar, read how the GFW passively blocks Shadowsocks proxies. Would be best to implement the reverse of it into sslh though:

https://gfw.report/publications/usenixsecurity23/en/

[yrutschle]

Closing this and moving the Shadowsocks discussion in another issue