From: Luca Beltrame <lbeltrame@kde.org>
To: wireguard@lists.zx2c4.com
Subject: [HACK] UDP tunneling over TCP for WireGuard
Date: Wed, 18 Apr 2018 13:55:33 +0200 [thread overview]
Message-ID: <24602785.LeAoNilrza@aoi.marionegri.it> (raw)
[-- Attachment #1: Type: text/plain, Size: 2428 bytes --]
Hello,
at one of the places I use WireGuard, outgoing UDP is *completely* blocked by
the perimeter firewall. In addition, only a handful of ports are open. (Not
that this has helped security in any way, but I digress)
This meant that I could not connect to my WireGuard-using OpenWRT router which
is somewhere else.
As a happy WireGuard user, I thought about how to handle this. Port was an
easy solution: 587 is open, so I could just have the router redirect it to the
actual endpoint port. UDP, not so much.
What came out was a horrid hack involving socat and sacrifices to the Great
Old Ones, but that it worked enough for me.
tl;dr: Use socat to tunnel local UDP port via TCP to a remote port, then
redirect UDP there to the actual WireGuard endpoint port.
First of all, I set a systemd unit to have this running continuously:
[Unit]
Description=UDP over TCP forwarder
After=autossh@tsugumi.service
[Service]
ExecStart=/usr/bin/socat -t600 -T600 -d -d UDP4-LISTEN:51821 tcp4:ENDPOINT_IP:
587
User=nobody
Group=nobody
Restart=always
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
[Install]
WantedBy=multi-user.target
I set fairly high timeouts because WireGuard is not very chatty and socat
usually exists when there's no traffic for a while.
Then, I set the relevant bits in wg0.conf:
[Interface]
ListenPort = 51820
PrivateKey =<redacted>
Address = 10.64.0.4/32
MTU=1280
[Peer]
PublicKey = <redacted>
AllowedIPs = 10.64.0.1/32,<internal router LAN IP range>
Endpoint = 127.0.0.1:51821
PersistentKeepalive = 60
As you notice, it goes to localhost then it's pushed via TCP to the remote
endpoint. At this time, I had to lower the MTU to adjust for overhead (as
discussed on IRC) that I introduced with this monstrosity.
On the remote side, I have (running through openWRT's init):
/usr/bin/socat -d -d tcp4-listen:587,reuseaddr,fork UDP4:127.0.0.1:51820
which brings packets back to port 51820, where wg is listening.
And voila', it works:
interface: wg0
public key: <redacted>
private key: (hidden)
listening port: 51820
peer: <redacted>
endpoint: 127.0.0.1:51821
allowed ips: 10.64.0.1/32, <LAN>
latest handshake: 30 seconds ago
transfer: 300.68 MiB received, 175.78 MiB sent
persistent keepalive: every 1 minute
Very hacky, but gets the job done. Any suggestions on how to make it better?
--
Luca Beltrame - KDE Forums team
KDE Science supporter
GPG key ID: A29D259B
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2018-04-18 11:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-18 11:55 Luca Beltrame [this message]
2018-04-18 15:55 ` [HACK] UDP tunneling over TCP for WireGuard Tim Sedlmeyer
2018-04-18 21:07 ` Matthias Urlichs
2018-04-18 16:36 ` Ximin Luo
[not found] ` <f47035e6-8940-7f24-6d13-f645a76bc3a7@juniorjpdj.pl>
2018-04-18 21:12 ` Luca Beltrame
2018-05-24 1:20 ` Beware of udp2raw-tunnel (was: [HACK] UDP tunneling over TCP for WireGuard) tomli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24602785.LeAoNilrza@aoi.marionegri.it \
--to=lbeltrame@kde.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).