TCP Wireguard with socat

TCP Wireguard with socat

[Gianluca Gabrielli]

Hi everybody,

I'm an happy wireguard user since a while, but at that time I need to link =
two peers and I can only use TCP. I know that there are thousand of other t=
ools I can use, but I'd like to do it using wireguard.
My first thought has been to make use of socat, since some newest version a=
 new address type called INTERFACE has been added (http://www.dest-unreach.=
org/socat/doc/socat.html#ADDRESS_TYPES), so I tried to use it but I've not =
been able to make it works.
This is why I'm here asking your feedbacks, or to collect other ideas to le=
t wireguard works through a TCP tunnel.

I wrote all the notes about the tests I made on a pdf, I know that this is =
not the good way to share with you my results, and I should write it here o=
nce again in plaintext. But for me it will would turn on a waste of time do=
 it again, and it also would be less comprehensible.
I uploaded the pdf online instead to attach it to this email hence nobody n=
eeds to open it on his personal laptop, but it can be viewed via any browse=
r. I personally hate open unknown file on my computer. The pdf can be viewe=
d from the following link:
https://drive.google.com/open?id=3D1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks

I will really appreciate any constructive feedback or suggestion on how to =
easily use wireguard with TCP.

Thanks,
Gianluca

Re: TCP Wireguard with socat

[Matthias Urlichs]

On 09.03.2018 17:41, Gianluca Gabrielli wrote:
> My first thought has been to make use of socat

socat can do either packet streams or byte streams. A UDP socket (or a
tun/tap interface) is a packet stream. TCP is a byte stream. You can't
forward a packet stream into a byte stream. (Well, OK, socat does allow
you to set that up, but it won't work.)

You need wrap your packets in some sort of frame (simplest: precede each
with a length word (but think about byte ordering)). I'm sure there are
programs which do that, or you can write your own. socat can't do it.

-- 
-- Matthias Urlichs

Re: TCP Wireguard with socat

[Gianluca Gabrielli]

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90

On March 9, 2018 10:45 PM, Matthias Urlichs <matthias@urlichs.de> wrote:

> On 09.03.2018 17:41, Gianluca Gabrielli wrote:
>=20
> > My first thought has been to make use of socat
>=20
> socat can do either packet streams or byte streams. A UDP socket (or a
>=20
> tun/tap interface) is a packet stream. TCP is a byte stream. You can't
>=20
> forward a packet stream into a byte stream. (Well, OK, socat does allow
>=20
> you to set that up, but it won't work.)
>=20
> You need wrap your packets in some sort of frame (simplest: precede each
>=20
> with a length word (but think about byte ordering)). I'm sure there are
>=20
> programs which do that, or you can write your own. socat can't do it.

Forwarding UDP packets (message oriented) into a TCP connection (stream ori=
ented) could be done without any problem. Think about an OpenVPN TCP tunnel=
 where you've redirected all your traffic, UDP connections as well.
Do you mean that socat just forward packets through the two specified chann=
el without wrapping them?

Re: TCP Wireguard with socat

[Matthias Urlichs]

On 12.03.2018 10:15, Gianluca Gabrielli wrote:
> Do you mean that socat just forward packets through the two specified c=
hannel without wrapping them?

Exactly. it doesn't know how to do any wrapping+unwrapping, thus it's
useless for exchanging data between a stream-based and a packet-based
port/device/interface/whatever (assuming that you need to keep the
packet boundaries intact).

--=20
-- Matthias Urlichs

Re: TCP Wireguard with socat

[Gianluca Gabrielli]

Do you have any link about documentation which explains this socat's behavi=
or?

SSH should does something similar when is used for tunneling, it just open =
a TCP connection and then forwards everything through it, without wrapping =
every single packet.
BTW on this thread (https://superuser.com/questions/53103/udp-traffic-throu=
gh-ssh-tunnel) they show how to perform UDP over TCP tunnel.
I tried with Secure Socket Funneling (ssf), setting netcat listening on UDP=
-mode (-u) on the server, and I was able to send strings to it from the cli=
ent.
Now I think it would just takes some time before starting to use wireguard =
inside this tunnel.

If someone of you want to make some tests on his own devices, I really appr=
eciate if you'll share your finding with me.

Re: TCP Wireguard with socat

[Gianluca Gabrielli]

Yes, I can confirm now. Wireguard + ssf[1] (UDP forwarding) works very well=
.
I will proceed doing some benchmark to understand how much this solution is=
 downgrading performance.=20

[1] https://github.com/securesocketfunneling/ssf=20

Cheers,
Gianluca

Re: TCP Wireguard with socat

[Tim Sedlmeyer]

Glad you got it working with ssf. If you are still interested in
getting it to work with socat, I have done so and it is pretty easy to
do.

On the server side of the connection:

socat -d -d TCP-LISTEN:443,reuseaddr TUN:192.168.255.1/24,up

On the client side:

socat TCP:server_address:443 TUN:192.168.255.2/24,up

This will create tunnel interfaces on each side which forwards any
data flowing through them over a socat established TCP connection
between the machines. Running 'ip link show' on either end will show
the new tun interface.

In your wireguard configuration set the server to listen on any port
besides 443 since socat is using this port for the TCP connection. On
the client side configure the endpoint for the server peer to be
192.168.255.1:server_listenport


On Mon, Mar 12, 2018 at 11:14 AM, Gianluca Gabrielli
<tuxmealux@protonmail.com> wrote:
> Yes, I can confirm now. Wireguard + ssf[1] (UDP forwarding) works very well.
> I will proceed doing some benchmark to understand how much this solution is downgrading performance.
>
> [1] https://github.com/securesocketfunneling/ssf
>
> Cheers,
> Gianluca
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: TCP Wireguard with socat

[Gianluca Gabrielli]

Great! Thanks a lot Tim, I will try your solution tomorrow. Actually I've f=
ound ssf a very nice tool, but I'd prefer to use socat for this task.

Cheers,
Gianluca

Re: TCP Wireguard with socat

[Matthias Urlichs]

On 12.03.2018 16:44, Tim Sedlmeyer wrote:
> On the server side of the connection:
>
> socat -d -d TCP-LISTEN:443,reuseaddr TUN:192.168.255.1/24,up
> socat TCP:server_address:443 TUN:192.168.255.2/24,up

This works if you're lucky, and as long as both sides send few packets.

As soon as your TCP queue fills up or your TCP connection has any packet
loss, all bets are off.

--=20
-- Matthias Urlichs

Re: TCP Wireguard with socat

[Matthias Urlichs]

On 12.03.2018 15:37, Gianluca Gabrielli wrote:
> BTW on this thread (https://superuser.com/questions/53103/udp-traffic-through-ssh-tunnel) they show how to perform UDP over TCP tunnel.

Yeah, and in the comments people explain why this is a bad idea.

Look, this is fairly easy to understand. TCP is a byte stream. It does
not know about packets; if you read from it you get N of the bytes the
other side has written, no matter in what chunks. TUN/TAP on the other
hand is a packet interface. It doesn't understand partial or aggregated
packets – it wants exactly one complete packet per write() call.

It's like pouring multiple cups of water at a time through a funnel. If
you pour slowly enough, each distinct chunk of water arrives at the
other end so that you can distinguish the original amounts, but if you
pour too fast or if there's an obstruction in the flow the distinction
gets lost and you lose packets (or, worse, the receiver sees additional
gibberish at their end).

Just use ssf. It's a tool that's built to do the job right. socat is
not, and it will not.

-- 
-- Matthias Urlichs

Re: TCP Wireguard with socat

[Gianluca Gabrielli]

Thanks Matthias, now I see your point.

I'm wondering why we should prepend a length to each datagram. On the datag=
ram's header the payload length is already present, should not be enough to=
 reconstruct the original datagram after the stream has been unwrapped?

Cheers,
Gianluca

Re: TCP Wireguard with socat

[Matthias Urlichs]

On 13.03.2018 10:19, Gianluca Gabrielli wrote:
> I'm wondering why we should prepend a length to each datagram. On the d=
atagram's header the payload length is already present, should not be eno=
ugh to reconstruct the original datagram after the stream has been unwrap=
ped?
Not really, because the datagram's payload length doesn't have to
correspond to the frame length. Think malicious malformed packets, or
networks with a minimum packet length, or protocols other than wireguard
=E2=80=93 you shouldn't assume that no other data is transmitted on that =
link.

Even if all that were true, or if you enfore that on the sending side,
you'd still need a specialized unpacker on the receiving end. Easier to
just use a tool that doesn't have any of these problems.

--=20
-- Matthias Urlichs