From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: ryan@testtoast.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e23e7e56 for ; Thu, 30 Aug 2018 10:40:40 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d49ce823 for ; Thu, 30 Aug 2018 10:40:40 +0000 (UTC) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 8A2FA21E33 for ; Thu, 30 Aug 2018 06:54:35 -0400 (EDT) Received: from [192.168.1.143] (180-150-21-37.cust.aussiebb.net [180.150.21.37]) by mail.messagingengine.com (Postfix) with ESMTPA id C2BBCE4447 for ; Thu, 30 Aug 2018 06:54:33 -0400 (EDT) From: Ryan Walklin Content-Type: multipart/alternative; boundary="Apple-Mail=_488820B3-F2D8-422C-8A56-8A7DA0EEE0A7" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: TCP Tunneling (again sorry) Message-Id: <1D3625F5-E278-436F-B50E-0D65ADCACC1C@testtoast.com> Date: Thu, 30 Aug 2018 20:54:30 +1000 To: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --Apple-Mail=_488820B3-F2D8-422C-8A56-8A7DA0EEE0A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, I appreciate this is a bit of a noob question not directly related to = WireGuard and has been covered before, but I=E2=80=99m just hoping for a = bit of advice and clarity. I=E2=80=99ve got a WireGuard tunnel up and = running nicely between my MBP laptop and my Debian server at home and am = hoping to use it as a VPN while travelling.=20 However I=E2=80=99ve found an issue when my laptop is behind work = firewalls which block UDP, and not wanting to be encountering this issue = overseas have been looking at tunnelling options. I have been using a = SOCKS proxy generated with OpenSSH up until now, but it=E2=80=99s = difficult to route all my laptop=E2=80=99s traffic via the proxy. I=E2=80=99m aware of SSF (https://securesocketfunneling.github.io/ssf = ) and udp2raw = (https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openvpn_guide.m= d = ) which has been covered on this list before = (https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.html = ) but = just wonder if anyone could comment on the specific security implication = of using minimal or no security on the TCP tunnel mechanism (which seems = poorly implemented by udp2raw particularly), and relying on the = underlying WireGuard encryption? Or is this crazy? Is there any other = satisfactory Unix-based mechanism to tunnel UDP over TCP? I feel like if I run a WireGuard tunnel through an encrypted SSF tunnel = I may as well just be using SSF by itself, however the ease of setting = the default route on my laptop with wg-quick is a great feature and I am = very impressed by the quality of WireGuard and the focus on security so = would like to continue using it if possible. Thanks, Ryan= --Apple-Mail=_488820B3-F2D8-422C-8A56-8A7DA0EEE0A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi,

I = appreciate this is a bit of a noob question not directly related to = WireGuard and has been covered before, but I=E2=80=99m just hoping for a = bit of advice and clarity. I=E2=80=99ve got a WireGuard tunnel up and = running nicely between my MBP laptop and my Debian server at home and am = hoping to use it as a VPN while travelling. 
However I=E2=80=99ve found an issue = when my laptop is behind work firewalls which block UDP, and not wanting = to be encountering this issue overseas have been looking at tunnelling = options. I have been using a SOCKS proxy generated with OpenSSH up until = now, but it=E2=80=99s difficult to route all my laptop=E2=80=99s traffic = via the proxy.

I=E2=80=99m aware of SSF (https://securesocketfunneling.github.io/ssf) and udp2raw = (https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openv= pn_guide.md) which has been covered on this list before (https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.htm= l) but just wonder if anyone could comment on the specific security = implication of using minimal or no security on the TCP tunnel mechanism = (which seems poorly implemented by udp2raw particularly), and relying on = the underlying WireGuard encryption? Or is this crazy? Is there any = other satisfactory Unix-based mechanism to tunnel UDP over = TCP?

I feel = like if I run a WireGuard tunnel through an encrypted SSF tunnel I may = as well just be using SSF by itself, however the ease of setting the = default route on my laptop with wg-quick is a great feature and I am = very impressed by the quality of WireGuard and the focus on security so = would like to continue using it if possible.

Thanks,

Ryan
= --Apple-Mail=_488820B3-F2D8-422C-8A56-8A7DA0EEE0A7--