WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Re: [feature request] To support "Wireguard over raw TCP"
       [not found] <CAKVinOU6xpbJNfCPAecX7kOgk_PbCzThYtER9d3ax1h6k3DGTw@mail.gmail.com>
@ 2018-09-25 15:52 ` StarBrilliant
  2018-09-25 16:29   ` Breus Blaauwendraad
       [not found]   ` <CAKVinOXXqMDRZcjVbOS4-iMBONdiYKaho8e3tEAZO+JKOZ_Gxw@mail.gmail.com>
  0 siblings, 2 replies; 7+ messages in thread
From: StarBrilliant @ 2018-09-25 15:52 UTC (permalink / raw)
  To: wireguard

On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(http://diyism.com)
<kexianbin@diyism.com> wrote:
>
> Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),
> It's very stable on my home network than using wireguard alone,
> But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.
>
>
> from: https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145
>
> $wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz
> $tar xzvf udp2raw_binaries.tar.gz
> $sudo cp udp2raw_amd64 /usr/bin/
> $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
> $cat /etc/wireguard/wg0.conf
> [Interface]
> PrivateKey = <client privkey>
> Address = 10.0.0.3/32
> ListenPort = 24447
> MTU = 1300
> PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <server pubkey> allowed-ips 0.0.0.0/0
> PostDown = ip route del 10.0.0.0/24
>
> [Peer]
> #10.0.0.1
> PublicKey = <server pubkey>
> Endpoint = 127.0.0.2:24448
> #AllowedIPs = 0.0.0.0/0
>
> $sudo wg-quick down wg0 ; sudo wg-quick up wg0
> $ping 10.0.0.1
> 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
> $sudo ip route add 104.24.0.0/16 dev wg0
> $ping myip.ipip.net
> PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
> 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
> $curl http://myip.ipip.net
> IP:<server ip>
>
> #take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.


Hello Kexianbin,

This is an UNOFFICIAL response to your question. (But I think the
official developers may have similar answers.)

Wireguard probably will not accept an official integration to udp2raw.
The reasons are:

1) Wireguard wants to keep their kernel part code minimized, therefore
easy for security auditing, and less bugs.The UDP protocol is actually
very simple and straightforward. (By the way, if you intended to use
Wireguard in China, be informed that this is a protocol that is very
easy to block by the ISP.)

2) I have read the source code of udp2raw. To be frank, the code is of
very low quality. For this reason, I don't think udp2raw would be
integrated into Wireguard unless it's rewritten.

3) Udp2raw is not suitable for everyone or for every country. For
example udp2raw may have problems passing middleboxes, which is common
among satellite ISPs in Oceania. Middleboxes break and resemble TCP
segments thus make udp2raw literally unusable. Also it is not
congestion friendly (by design), so a massive deployment may affect
the global Internet ecology.

However the good news is, Wireguard provides an open control interface
(see https://www.wireguard.com/xplatform/ ). By utilizing this
interface, we can develop an alternate frontend application other than
the official command "wg", that automatically sets up the kernel
Wireguard kernel part and a userland udp2raw part, packaged as one
application.


My words for Wireguard developers:

1) In case you may not know the udp2raw protocol, here is a
description. Some ISPs in certain countries have strange QoS strategy
that deprioritize UDP packets during network congestion, resulting a
50% loss rate or more for UDP. The udp2raw protocol simulates a
three-way TCP handshake and add TCP header to UDP packets so they will
not be dropped. This protocol does not do congestion control or rate
control, neither does it understand any TCP semantics. It's a dirty
hack for dirty ISP, not suitable for everyone, but overwhelmingly
useful in certain countries.

2) Wireguard currently does not support binding to localhost. This is
required for any third-party plugins upon Wireguard to work. We might
need to consider binding to localhost an important feature to go in
the near future.


Best regards,
StarBrilliant
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
  2018-09-25 15:52 ` [feature request] To support "Wireguard over raw TCP" StarBrilliant
@ 2018-09-25 16:29   ` Breus Blaauwendraad
  2018-10-02  6:40     ` Matthias Urlichs
  2018-10-02  6:53     ` KeXianbin(http://diyism.com)
       [not found]   ` <CAKVinOXXqMDRZcjVbOS4-iMBONdiYKaho8e3tEAZO+JKOZ_Gxw@mail.gmail.com>
  1 sibling, 2 replies; 7+ messages in thread
From: Breus Blaauwendraad @ 2018-09-25 16:29 UTC (permalink / raw)
  To: coder; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 6429 bytes --]

Hello StarBrilliant,

I think that what Kexianbin is trying to make clear is that it would be
nice if  native TCP support would be added in WireGuard.
He (probably) currently uses udp2raw as an alternative, because an UDP-only
VPN is sadly enough not working in every situation.
With him, there have been others pitching ideas on how to wrap the
WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.

So, why would UDP for a VPN service not be enough?

First of all, most VPN traffic obfuscation techniques require a TCP
connection instead of UDP.
VPN usage is particularly useful in countries were Internet censorship is
applied.
Since obfuscating VPN traffic comes with performance overhead, wrapping the
UDP in TCP and obfuscating this would kill the performance advantage
WireGuard has over other protocols.

However, what is arguably more important: various corporate firewalls
(hotels/restaurants/offices) are known to block UDP (for random ports
besides the standard DNS 53 port etc.).
In these instances, it would be useful to have the possibility to build a
fall back to TCP instead of UDP in a VPN service (or even the protocol
itself).

Also, various researchers I have spoken to told me that sometimes they need
a more reliable (TCP) connection, which is then more important than the
speed UDP provides.

I'm looking into the possibilities to deploy the WireGuard VPN protocol for
an existing VPN service currently using OpenVPN, but I keep stumbling on
the problem that WIreGuard does not support TCP.
I (think I) have read all posts regarding TCP for WireGuard, but it seems
that there do not exists a good way to tackle this problem.

Could someone tell whether or not TCP would be a future additional option
for WireGuard, and why (not)?

Also, do you think there actually does exist a neat and fitting solution
for the problems I described?

Kind regards,

Breus Blaauwendraad


On Tue, 25 Sep 2018 at 17:54, StarBrilliant <coder@poorlab.com> wrote:

> On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(http://diyism.com)
> <kexianbin@diyism.com> wrote:
> >
> > Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic
> into raw tcp (config files as follows),
> > It's very stable on my home network than using wireguard alone,
> > But if we can integrate RAW TCP feature into wireguard, it would
> significantly improve performance and stability for end users.
> >
> >
> > from:
> https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145
> >
> > $wget
> https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz
> > $tar xzvf udp2raw_binaries.tar.gz
> > $sudo cp udp2raw_amd64 /usr/bin/
> > $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
> > $cat /etc/wireguard/wg0.conf
> > [Interface]
> > PrivateKey = <client privkey>
> > Address = 10.0.0.3/32
> > ListenPort = 24447
> > MTU = 1300
> > PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <server
> pubkey> allowed-ips 0.0.0.0/0
> > PostDown = ip route del 10.0.0.0/24
> >
> > [Peer]
> > #10.0.0.1
> > PublicKey = <server pubkey>
> > Endpoint = 127.0.0.2:24448
> > #AllowedIPs = 0.0.0.0/0
> >
> > $sudo wg-quick down wg0 ; sudo wg-quick up wg0
> > $ping 10.0.0.1
> > 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
> > $sudo ip route add 104.24.0.0/16 dev wg0
> > $ping myip.ipip.net
> > PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
> > 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
> > $curl http://myip.ipip.net
> > IP:<server ip>
> >
> > #take care, "MTU = 1300" in wg0.conf is needed when wireguard over
> udp2raw, or else most https requests will be blocked because of mtu problem.
>
>
> Hello Kexianbin,
>
> This is an UNOFFICIAL response to your question. (But I think the
> official developers may have similar answers.)
>
> Wireguard probably will not accept an official integration to udp2raw.
> The reasons are:
>
> 1) Wireguard wants to keep their kernel part code minimized, therefore
> easy for security auditing, and less bugs.The UDP protocol is actually
> very simple and straightforward. (By the way, if you intended to use
> Wireguard in China, be informed that this is a protocol that is very
> easy to block by the ISP.)
>
> 2) I have read the source code of udp2raw. To be frank, the code is of
> very low quality. For this reason, I don't think udp2raw would be
> integrated into Wireguard unless it's rewritten.
>
> 3) Udp2raw is not suitable for everyone or for every country. For
> example udp2raw may have problems passing middleboxes, which is common
> among satellite ISPs in Oceania. Middleboxes break and resemble TCP
> segments thus make udp2raw literally unusable. Also it is not
> congestion friendly (by design), so a massive deployment may affect
> the global Internet ecology.
>
> However the good news is, Wireguard provides an open control interface
> (see https://www.wireguard.com/xplatform/ ). By utilizing this
> interface, we can develop an alternate frontend application other than
> the official command "wg", that automatically sets up the kernel
> Wireguard kernel part and a userland udp2raw part, packaged as one
> application.
>
>
> My words for Wireguard developers:
>
> 1) In case you may not know the udp2raw protocol, here is a
> description. Some ISPs in certain countries have strange QoS strategy
> that deprioritize UDP packets during network congestion, resulting a
> 50% loss rate or more for UDP. The udp2raw protocol simulates a
> three-way TCP handshake and add TCP header to UDP packets so they will
> not be dropped. This protocol does not do congestion control or rate
> control, neither does it understand any TCP semantics. It's a dirty
> hack for dirty ISP, not suitable for everyone, but overwhelmingly
> useful in certain countries.
>
> 2) Wireguard currently does not support binding to localhost. This is
> required for any third-party plugins upon Wireguard to work. We might
> need to consider binding to localhost an important feature to go in
> the near future.
>
>
> Best regards,
> StarBrilliant
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 8750 bytes --]

<div dir="ltr"><div>Hello StarBrilliant,</div><div><br></div><div>I think that what 
Kexianbin is trying to make clear is that it would be nice if  native TCP support would be added in WireGuard.</div><div>He (probably) currently uses udp2raw as an alternative, because an UDP-only VPN is sadly enough not working in every situation.</div><div>With him, there have been others pitching ideas on how to wrap the WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.</div><div><br></div><div>So, why would UDP for a VPN service not be enough?<br></div><div><br></div><div>First of all, most VPN traffic obfuscation techniques require a TCP connection instead of UDP. <br></div><div>VPN usage is particularly useful in countries were Internet censorship is applied.<br></div><div>Since obfuscating VPN traffic comes with performance overhead, wrapping the UDP in TCP and obfuscating this would kill the performance advantage WireGuard has over other protocols.<br></div><div><br></div><div>However, what is arguably more important: various corporate firewalls (hotels/restaurants/offices) are known to block UDP (for random ports besides the standard DNS 53 port etc.). </div><div>In these instances, it would be useful to have the possibility to build a fall back to TCP instead of UDP in a VPN service (or even the protocol itself).<br></div><div><br></div><div>Also, various researchers I have spoken to told me that sometimes they need a more reliable (TCP) connection, which is then more important than the speed UDP provides.</div><div><br></div><div>I&#39;m looking into the possibilities to deploy the WireGuard VPN protocol for an existing VPN service currently using OpenVPN, but I keep stumbling on the problem that WIreGuard does not support TCP.</div><div>I (think I) have read all posts regarding TCP for WireGuard, but it seems that there do not exists a good way to tackle this problem.</div><div><br></div><div>Could someone tell whether or not TCP would be a future additional option for WireGuard, and why (not)?</div><div><br></div><div>Also, do you think there actually does exist a neat and fitting solution for the problems I described?</div><div><br></div><div>Kind regards,</div><div><br></div><div>Breus Blaauwendraad<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 25 Sep 2018 at 17:54, StarBrilliant &lt;<a href="mailto:coder@poorlab.com">coder@poorlab.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(<a href="http://diyism.com" rel="noreferrer" target="_blank">http://diyism.com</a>)<br>
&lt;<a href="mailto:kexianbin@diyism.com" target="_blank">kexianbin@diyism.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Currently, I&#39;m using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),<br>
&gt; It&#39;s very stable on my home network than using wireguard alone,<br>
&gt; But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.<br>
&gt;<br>
&gt;<br>
&gt; from: <a href="https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145" rel="noreferrer" target="_blank">https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145</a><br>
&gt;<br>
&gt; $wget <a href="https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz" rel="noreferrer" target="_blank">https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz</a><br>
&gt; $tar xzvf udp2raw_binaries.tar.gz<br>
&gt; $sudo cp udp2raw_amd64 /usr/bin/<br>
&gt; $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r&lt;server ip&gt;:24447 -a<br>
&gt; $cat /etc/wireguard/wg0.conf<br>
&gt; [Interface]<br>
&gt; PrivateKey = &lt;client privkey&gt;<br>
&gt; Address = <a href="http://10.0.0.3/32" rel="noreferrer" target="_blank">10.0.0.3/32</a><br>
&gt; ListenPort = 24447<br>
&gt; MTU = 1300<br>
&gt; PostUp = ip route add <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> dev wg0 &amp;&amp; wg set wg0 peer &lt;server pubkey&gt; allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt; PostDown = ip route del <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a><br>
&gt;<br>
&gt; [Peer]<br>
&gt; #10.0.0.1<br>
&gt; PublicKey = &lt;server pubkey&gt;<br>
&gt; Endpoint = <a href="http://127.0.0.2:24448" rel="noreferrer" target="_blank">127.0.0.2:24448</a><br>
&gt; #AllowedIPs = <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt;<br>
&gt; $sudo wg-quick down wg0 ; sudo wg-quick up wg0<br>
&gt; $ping 10.0.0.1<br>
&gt; 64 bytes from <a href="http://10.0.0.1" rel="noreferrer" target="_blank">10.0.0.1</a>: icmp_seq=2113 ttl=64 time=183 ms<br>
&gt; $sudo ip route add <a href="http://104.24.0.0/16" rel="noreferrer" target="_blank">104.24.0.0/16</a> dev wg0<br>
&gt; $ping <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a><br>
&gt; PING <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a> (104.24.20.50) 56(84) bytes of data.<br>
&gt; 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms<br>
&gt; $curl <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">http://myip.ipip.net</a><br>
&gt; IP:&lt;server ip&gt;<br>
&gt;<br>
&gt; #take care, &quot;MTU = 1300&quot; in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.<br>
<br>
<br>
Hello Kexianbin,<br>
<br>
This is an UNOFFICIAL response to your question. (But I think the<br>
official developers may have similar answers.)<br>
<br>
Wireguard probably will not accept an official integration to udp2raw.<br>
The reasons are:<br>
<br>
1) Wireguard wants to keep their kernel part code minimized, therefore<br>
easy for security auditing, and less bugs.The UDP protocol is actually<br>
very simple and straightforward. (By the way, if you intended to use<br>
Wireguard in China, be informed that this is a protocol that is very<br>
easy to block by the ISP.)<br>
<br>
2) I have read the source code of udp2raw. To be frank, the code is of<br>
very low quality. For this reason, I don&#39;t think udp2raw would be<br>
integrated into Wireguard unless it&#39;s rewritten.<br>
<br>
3) Udp2raw is not suitable for everyone or for every country. For<br>
example udp2raw may have problems passing middleboxes, which is common<br>
among satellite ISPs in Oceania. Middleboxes break and resemble TCP<br>
segments thus make udp2raw literally unusable. Also it is not<br>
congestion friendly (by design), so a massive deployment may affect<br>
the global Internet ecology.<br>
<br>
However the good news is, Wireguard provides an open control interface<br>
(see <a href="https://www.wireguard.com/xplatform/" rel="noreferrer" target="_blank">https://www.wireguard.com/xplatform/</a> ). By utilizing this<br>
interface, we can develop an alternate frontend application other than<br>
the official command &quot;wg&quot;, that automatically sets up the kernel<br>
Wireguard kernel part and a userland udp2raw part, packaged as one<br>
application.<br>
<br>
<br>
My words for Wireguard developers:<br>
<br>
1) In case you may not know the udp2raw protocol, here is a<br>
description. Some ISPs in certain countries have strange QoS strategy<br>
that deprioritize UDP packets during network congestion, resulting a<br>
50% loss rate or more for UDP. The udp2raw protocol simulates a<br>
three-way TCP handshake and add TCP header to UDP packets so they will<br>
not be dropped. This protocol does not do congestion control or rate<br>
control, neither does it understand any TCP semantics. It&#39;s a dirty<br>
hack for dirty ISP, not suitable for everyone, but overwhelmingly<br>
useful in certain countries.<br>
<br>
2) Wireguard currently does not support binding to localhost. This is<br>
required for any third-party plugins upon Wireguard to work. We might<br>
need to consider binding to localhost an important feature to go in<br>
the near future.<br>
<br>
<br>
Best regards,<br>
StarBrilliant<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
       [not found]   ` <CAKVinOXXqMDRZcjVbOS4-iMBONdiYKaho8e3tEAZO+JKOZ_Gxw@mail.gmail.com>
@ 2018-09-25 20:25     ` Michael Rash
  0 siblings, 0 replies; 7+ messages in thread
From: Michael Rash @ 2018-09-25 20:25 UTC (permalink / raw)
  To: kexianbin; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 5274 bytes --]

On Tue, Sep 25, 2018 at 12:06 PM KeXianbin(http://diyism.com) <
kexianbin@diyism.com> wrote:

> Thanks for the info.
>
> On Sep 25, 2018 23:53, "StarBrilliant" <coder@poorlab.com> wrote:
>
>> On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(http://diyism.com)
>> <kexianbin@diyism.com> wrote:
>> >
>> > Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic
>> into raw tcp (config files as follows),
>> > It's very stable on my home network than using wireguard alone,
>> > But if we can integrate RAW TCP feature into wireguard, it would
>> significantly improve performance and stability for end users.
>> >
>> >
>> > from:
>> https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145
>> >
>> > $wget
>> https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz
>> > $tar xzvf udp2raw_binaries.tar.gz
>> > $sudo cp udp2raw_amd64 /usr/bin/
>> > $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
>> > $cat /etc/wireguard/wg0.conf
>> > [Interface]
>> > PrivateKey = <client privkey>
>> > Address = 10.0.0.3/32
>> > ListenPort = 24447
>> > MTU = 1300
>> > PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <server
>> pubkey> allowed-ips 0.0.0.0/0
>> > PostDown = ip route del 10.0.0.0/24
>> >
>> > [Peer]
>> > #10.0.0.1
>> > PublicKey = <server pubkey>
>> > Endpoint = 127.0.0.2:24448
>> > #AllowedIPs = 0.0.0.0/0
>> >
>> > $sudo wg-quick down wg0 ; sudo wg-quick up wg0
>> > $ping 10.0.0.1
>> > 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
>> > $sudo ip route add 104.24.0.0/16 dev wg0
>> > $ping myip.ipip.net
>> > PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
>> > 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
>> > $curl http://myip.ipip.net
>> > IP:<server ip>
>> >
>> > #take care, "MTU = 1300" in wg0.conf is needed when wireguard over
>> udp2raw, or else most https requests will be blocked because of mtu problem.
>>
>>
>> Hello Kexianbin,
>>
>> This is an UNOFFICIAL response to your question. (But I think the
>> official developers may have similar answers.)
>>
>> Wireguard probably will not accept an official integration to udp2raw.
>> The reasons are:
>>
>> 1) Wireguard wants to keep their kernel part code minimized, therefore
>> easy for security auditing, and less bugs.The UDP protocol is actually
>> very simple and straightforward. (By the way, if you intended to use
>> Wireguard in China, be informed that this is a protocol that is very
>> easy to block by the ISP.)
>>
>> 2) I have read the source code of udp2raw. To be frank, the code is of
>> very low quality. For this reason, I don't think udp2raw would be
>> integrated into Wireguard unless it's rewritten.
>>
>> 3) Udp2raw is not suitable for everyone or for every country. For
>> example udp2raw may have problems passing middleboxes, which is common
>> among satellite ISPs in Oceania. Middleboxes break and resemble TCP
>> segments thus make udp2raw literally unusable. Also it is not
>> congestion friendly (by design), so a massive deployment may affect
>> the global Internet ecology.
>>
>
Let me also add (unofficially of course) that stealth against active
scanning is also an important goal achieved by Wireguard's usage of UDP,
and switching to TCP would break this. If TCP is required, then integration
options with third party tools such as udp2raw-tunnel will always be there.
Wireguard should not have to directly support those options, and rather
should stick to its current compelling design.

--Mike




>
>> However the good news is, Wireguard provides an open control interface
>> (see https://www.wireguard.com/xplatform/ ). By utilizing this
>> interface, we can develop an alternate frontend application other than
>> the official command "wg", that automatically sets up the kernel
>> Wireguard kernel part and a userland udp2raw part, packaged as one
>> application.
>>
>>
>> My words for Wireguard developers:
>>
>> 1) In case you may not know the udp2raw protocol, here is a
>> description. Some ISPs in certain countries have strange QoS strategy
>> that deprioritize UDP packets during network congestion, resulting a
>> 50% loss rate or more for UDP. The udp2raw protocol simulates a
>> three-way TCP handshake and add TCP header to UDP packets so they will
>> not be dropped. This protocol does not do congestion control or rate
>> control, neither does it understand any TCP semantics. It's a dirty
>> hack for dirty ISP, not suitable for everyone, but overwhelmingly
>> useful in certain countries.
>>
>> 2) Wireguard currently does not support binding to localhost. This is
>> required for any third-party plugins upon Wireguard to work. We might
>> need to consider binding to localhost an important feature to go in
>> the near future.
>>
>>
>> Best regards,
>> StarBrilliant
>>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

[-- Attachment #1.2: Type: text/html, Size: 8062 bytes --]

<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, Sep 25, 2018 at 12:06 PM KeXianbin(<a href="http://diyism.com">http://diyism.com</a>) &lt;<a href="mailto:kexianbin@diyism.com">kexianbin@diyism.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Thanks for the info. </div><div class="gmail_extra"><br><div class="gmail_quote">On Sep 25, 2018 23:53, &quot;StarBrilliant&quot; &lt;<a href="mailto:coder@poorlab.com" target="_blank">coder@poorlab.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(<a href="http://diyism.com" rel="noreferrer" target="_blank">http://diyism.com</a>)<br>
&lt;<a href="mailto:kexianbin@diyism.com" target="_blank">kexianbin@diyism.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Currently, I&#39;m using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),<br>
&gt; It&#39;s very stable on my home network than using wireguard alone,<br>
&gt; But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.<br>
&gt;<br>
&gt;<br>
&gt; from: <a href="https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145" rel="noreferrer" target="_blank">https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145</a><br>
&gt;<br>
&gt; $wget <a href="https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz" rel="noreferrer" target="_blank">https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz</a><br>
&gt; $tar xzvf udp2raw_binaries.tar.gz<br>
&gt; $sudo cp udp2raw_amd64 /usr/bin/<br>
&gt; $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r&lt;server ip&gt;:24447 -a<br>
&gt; $cat /etc/wireguard/wg0.conf<br>
&gt; [Interface]<br>
&gt; PrivateKey = &lt;client privkey&gt;<br>
&gt; Address = <a href="http://10.0.0.3/32" rel="noreferrer" target="_blank">10.0.0.3/32</a><br>
&gt; ListenPort = 24447<br>
&gt; MTU = 1300<br>
&gt; PostUp = ip route add <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> dev wg0 &amp;&amp; wg set wg0 peer &lt;server pubkey&gt; allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt; PostDown = ip route del <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a><br>
&gt;<br>
&gt; [Peer]<br>
&gt; #10.0.0.1<br>
&gt; PublicKey = &lt;server pubkey&gt;<br>
&gt; Endpoint = <a href="http://127.0.0.2:24448" rel="noreferrer" target="_blank">127.0.0.2:24448</a><br>
&gt; #AllowedIPs = <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt;<br>
&gt; $sudo wg-quick down wg0 ; sudo wg-quick up wg0<br>
&gt; $ping 10.0.0.1<br>
&gt; 64 bytes from <a href="http://10.0.0.1" rel="noreferrer" target="_blank">10.0.0.1</a>: icmp_seq=2113 ttl=64 time=183 ms<br>
&gt; $sudo ip route add <a href="http://104.24.0.0/16" rel="noreferrer" target="_blank">104.24.0.0/16</a> dev wg0<br>
&gt; $ping <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a><br>
&gt; PING <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a> (104.24.20.50) 56(84) bytes of data.<br>
&gt; 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms<br>
&gt; $curl <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">http://myip.ipip.net</a><br>
&gt; IP:&lt;server ip&gt;<br>
&gt;<br>
&gt; #take care, &quot;MTU = 1300&quot; in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.<br>
<br>
<br>
Hello Kexianbin,<br>
<br>
This is an UNOFFICIAL response to your question. (But I think the<br>
official developers may have similar answers.)<br>
<br>
Wireguard probably will not accept an official integration to udp2raw.<br>
The reasons are:<br>
<br>
1) Wireguard wants to keep their kernel part code minimized, therefore<br>
easy for security auditing, and less bugs.The UDP protocol is actually<br>
very simple and straightforward. (By the way, if you intended to use<br>
Wireguard in China, be informed that this is a protocol that is very<br>
easy to block by the ISP.)<br>
<br>
2) I have read the source code of udp2raw. To be frank, the code is of<br>
very low quality. For this reason, I don&#39;t think udp2raw would be<br>
integrated into Wireguard unless it&#39;s rewritten.<br>
<br>
3) Udp2raw is not suitable for everyone or for every country. For<br>
example udp2raw may have problems passing middleboxes, which is common<br>
among satellite ISPs in Oceania. Middleboxes break and resemble TCP<br>
segments thus make udp2raw literally unusable. Also it is not<br>
congestion friendly (by design), so a massive deployment may affect<br>
the global Internet ecology.<br></blockquote></div></div></blockquote><div><br></div><div>Let me also add (unofficially of course) that stealth against active scanning is also an important goal achieved by Wireguard&#39;s usage of UDP, and switching to TCP would break this. If TCP is required, then integration options with third party tools such as udp2raw-tunnel will always be there. Wireguard should not have to directly support those options, and rather should stick to its current compelling design.</div><div><br></div><div>--Mike</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
However the good news is, Wireguard provides an open control interface<br>
(see <a href="https://www.wireguard.com/xplatform/" rel="noreferrer" target="_blank">https://www.wireguard.com/xplatform/</a> ). By utilizing this<br>
interface, we can develop an alternate frontend application other than<br>
the official command &quot;wg&quot;, that automatically sets up the kernel<br>
Wireguard kernel part and a userland udp2raw part, packaged as one<br>
application.<br>
<br>
<br>
My words for Wireguard developers:<br>
<br>
1) In case you may not know the udp2raw protocol, here is a<br>
description. Some ISPs in certain countries have strange QoS strategy<br>
that deprioritize UDP packets during network congestion, resulting a<br>
50% loss rate or more for UDP. The udp2raw protocol simulates a<br>
three-way TCP handshake and add TCP header to UDP packets so they will<br>
not be dropped. This protocol does not do congestion control or rate<br>
control, neither does it understand any TCP semantics. It&#39;s a dirty<br>
hack for dirty ISP, not suitable for everyone, but overwhelmingly<br>
useful in certain countries.<br>
<br>
2) Wireguard currently does not support binding to localhost. This is<br>
required for any third-party plugins upon Wireguard to work. We might<br>
need to consider binding to localhost an important feature to go in<br>
the near future.<br>
<br>
<br>
Best regards,<br>
StarBrilliant<br>
</blockquote></div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Michael Rash | Founder<br><a href="http://www.cipherdyne.org/" target="_blank">http://www.cipherdyne.org/</a><br>Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F<br></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
  2018-09-25 16:29   ` Breus Blaauwendraad
@ 2018-10-02  6:40     ` Matthias Urlichs
  2018-10-02  6:53     ` KeXianbin(http://diyism.com)
  1 sibling, 0 replies; 7+ messages in thread
From: Matthias Urlichs @ 2018-10-02  6:40 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1.1: Type: text/plain, Size: 803 bytes --]

On 25.09.2018 18:29, Breus Blaauwendraad wrote:
> Could someone tell whether or not TCP would be a future additional
> option for WireGuard, and why (not)?

Which of the umpteen available/possible ways of encapsulating UDP
packets in TCP (and possibly obfuscating them in some way) would you
want Wireguard to natively implement?

The answer is simple: None of them. Bind to localhost, and use a
separate program for forwarding UDP packets.

Also: Any performance gain from supporting TCP natively (as opposed to
going through userspace) is easily dwarfed by the fact that congestion
control requires occasionally dropping packets – specifically, the
packets queued to the TCP socket. TCP cannot do that. Even more
complexity in the kernel? not likely.

-- 
-- Matthias Urlichs



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
  2018-09-25 16:29   ` Breus Blaauwendraad
  2018-10-02  6:40     ` Matthias Urlichs
@ 2018-10-02  6:53     ` KeXianbin(http://diyism.com)
  2018-10-02  9:00       ` KeXianbin(http://diyism.com)
  1 sibling, 1 reply; 7+ messages in thread
From: KeXianbin(http://diyism.com) @ 2018-10-02  6:53 UTC (permalink / raw)
  To: Breus Blaauwendraad; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 7259 bytes --]

The most important for me is to keep the P2P feature(auto NAT traverse) of
wireguard while wrapping the wireguard UDP packets into udp2raw Fake
TCP/Raw TCP packets. I think that keeping p2p feature of wireguard in
wireguard+udp2raw is more complex or even impossible than Wireguard itself
supports Fake TCP/Raw TCP packets:
https://github.com/wangyu-/udp2raw-tunnel/issues/212

On Oct 2, 2018 11:11, "Breus Blaauwendraad" <b.blaauwendraad@gmail.com>
wrote:

> Hello StarBrilliant,
>
> I think that what Kexianbin is trying to make clear is that it would be
> nice if  native TCP support would be added in WireGuard.
> He (probably) currently uses udp2raw as an alternative, because an
> UDP-only VPN is sadly enough not working in every situation.
> With him, there have been others pitching ideas on how to wrap the
> WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.
>
> So, why would UDP for a VPN service not be enough?
>
> First of all, most VPN traffic obfuscation techniques require a TCP
> connection instead of UDP.
> VPN usage is particularly useful in countries were Internet censorship is
> applied.
> Since obfuscating VPN traffic comes with performance overhead, wrapping
> the UDP in TCP and obfuscating this would kill the performance advantage
> WireGuard has over other protocols.
>
> However, what is arguably more important: various corporate firewalls
> (hotels/restaurants/offices) are known to block UDP (for random ports
> besides the standard DNS 53 port etc.).
> In these instances, it would be useful to have the possibility to build a
> fall back to TCP instead of UDP in a VPN service (or even the protocol
> itself).
>
> Also, various researchers I have spoken to told me that sometimes they
> need a more reliable (TCP) connection, which is then more important than
> the speed UDP provides.
>
> I'm looking into the possibilities to deploy the WireGuard VPN protocol
> for an existing VPN service currently using OpenVPN, but I keep stumbling
> on the problem that WIreGuard does not support TCP.
> I (think I) have read all posts regarding TCP for WireGuard, but it seems
> that there do not exists a good way to tackle this problem.
>
> Could someone tell whether or not TCP would be a future additional option
> for WireGuard, and why (not)?
>
> Also, do you think there actually does exist a neat and fitting solution
> for the problems I described?
>
> Kind regards,
>
> Breus Blaauwendraad
>
>
> On Tue, 25 Sep 2018 at 17:54, StarBrilliant <coder@poorlab.com> wrote:
>
>> On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(http://diyism.com)
>> <kexianbin@diyism.com> wrote:
>> >
>> > Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic
>> into raw tcp (config files as follows),
>> > It's very stable on my home network than using wireguard alone,
>> > But if we can integrate RAW TCP feature into wireguard, it would
>> significantly improve performance and stability for end users.
>> >
>> >
>> > from: https://gist.github.com/diyism/1b80903a83776675031c73ae499438
>> d8#file-wireguard_config-txt-L145
>> >
>> > $wget https://github.com/wangyu-/udp2raw-tunnel/releases/
>> download/20180830.2/udp2raw_binaries.tar.gz
>> > $tar xzvf udp2raw_binaries.tar.gz
>> > $sudo cp udp2raw_amd64 /usr/bin/
>> > $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
>> > $cat /etc/wireguard/wg0.conf
>> > [Interface]
>> > PrivateKey = <client privkey>
>> > Address = 10.0.0.3/32
>> > ListenPort = 24447
>> > MTU = 1300
>> > PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <server
>> pubkey> allowed-ips 0.0.0.0/0
>> > PostDown = ip route del 10.0.0.0/24
>> >
>> > [Peer]
>> > #10.0.0.1
>> > PublicKey = <server pubkey>
>> > Endpoint = 127.0.0.2:24448
>> > #AllowedIPs = 0.0.0.0/0
>> >
>> > $sudo wg-quick down wg0 ; sudo wg-quick up wg0
>> > $ping 10.0.0.1
>> > 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
>> > $sudo ip route add 104.24.0.0/16 dev wg0
>> > $ping myip.ipip.net
>> > PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
>> > 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
>> > $curl http://myip.ipip.net
>> > IP:<server ip>
>> >
>> > #take care, "MTU = 1300" in wg0.conf is needed when wireguard over
>> udp2raw, or else most https requests will be blocked because of mtu problem.
>>
>>
>> Hello Kexianbin,
>>
>> This is an UNOFFICIAL response to your question. (But I think the
>> official developers may have similar answers.)
>>
>> Wireguard probably will not accept an official integration to udp2raw.
>> The reasons are:
>>
>> 1) Wireguard wants to keep their kernel part code minimized, therefore
>> easy for security auditing, and less bugs.The UDP protocol is actually
>> very simple and straightforward. (By the way, if you intended to use
>> Wireguard in China, be informed that this is a protocol that is very
>> easy to block by the ISP.)
>>
>> 2) I have read the source code of udp2raw. To be frank, the code is of
>> very low quality. For this reason, I don't think udp2raw would be
>> integrated into Wireguard unless it's rewritten.
>>
>> 3) Udp2raw is not suitable for everyone or for every country. For
>> example udp2raw may have problems passing middleboxes, which is common
>> among satellite ISPs in Oceania. Middleboxes break and resemble TCP
>> segments thus make udp2raw literally unusable. Also it is not
>> congestion friendly (by design), so a massive deployment may affect
>> the global Internet ecology.
>>
>> However the good news is, Wireguard provides an open control interface
>> (see https://www.wireguard.com/xplatform/ ). By utilizing this
>> interface, we can develop an alternate frontend application other than
>> the official command "wg", that automatically sets up the kernel
>> Wireguard kernel part and a userland udp2raw part, packaged as one
>> application.
>>
>>
>> My words for Wireguard developers:
>>
>> 1) In case you may not know the udp2raw protocol, here is a
>> description. Some ISPs in certain countries have strange QoS strategy
>> that deprioritize UDP packets during network congestion, resulting a
>> 50% loss rate or more for UDP. The udp2raw protocol simulates a
>> three-way TCP handshake and add TCP header to UDP packets so they will
>> not be dropped. This protocol does not do congestion control or rate
>> control, neither does it understand any TCP semantics. It's a dirty
>> hack for dirty ISP, not suitable for everyone, but overwhelmingly
>> useful in certain countries.
>>
>> 2) Wireguard currently does not support binding to localhost. This is
>> required for any third-party plugins upon Wireguard to work. We might
>> need to consider binding to localhost an important feature to go in
>> the near future.
>>
>>
>> Best regards,
>> StarBrilliant
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
>

[-- Attachment #1.2: Type: text/html, Size: 10443 bytes --]

<div dir="auto">The most important for me is to keep the P2P feature(auto NAT traverse) of wireguard while wrapping the wireguard UDP packets into udp2raw Fake TCP/Raw TCP packets. <span style="color:rgb(36,41,46);font-family:-apple-system,blinkmacsystemfont,&quot;segoe ui&quot;,helvetica,arial,sans-serif,&quot;apple color emoji&quot;,&quot;segoe ui emoji&quot;,&quot;segoe ui symbol&quot;;font-size:14px;background-color:rgb(255,255,255)">I think that keeping p2p feature of wireguard in wireguard+udp2raw is more complex or even impossible than Wireguard itself supports Fake TCP/Raw TCP packets: </span><font color="#24292e" face="-apple-system, blinkmacsystemfont, segoe ui, helvetica, arial, sans-serif, apple color emoji, segoe ui emoji, segoe ui symbol"><span style="font-size:14px"><a href="https://github.com/wangyu-/udp2raw-tunnel/issues/212">https://github.com/wangyu-/udp2raw-tunnel/issues/212</a></span></font></div><div class="gmail_extra"><br><div class="gmail_quote">On Oct 2, 2018 11:11, &quot;Breus Blaauwendraad&quot; &lt;<a href="mailto:b.blaauwendraad@gmail.com" target="_blank">b.blaauwendraad@gmail.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello StarBrilliant,</div><div><br></div><div>I think that what 
Kexianbin is trying to make clear is that it would be nice if  native TCP support would be added in WireGuard.</div><div>He (probably) currently uses udp2raw as an alternative, because an UDP-only VPN is sadly enough not working in every situation.</div><div>With him, there have been others pitching ideas on how to wrap the WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.</div><div><br></div><div>So, why would UDP for a VPN service not be enough?<br></div><div><br></div><div>First of all, most VPN traffic obfuscation techniques require a TCP connection instead of UDP. <br></div><div>VPN usage is particularly useful in countries were Internet censorship is applied.<br></div><div>Since obfuscating VPN traffic comes with performance overhead, wrapping the UDP in TCP and obfuscating this would kill the performance advantage WireGuard has over other protocols.<br></div><div><br></div><div>However, what is arguably more important: various corporate firewalls (hotels/restaurants/offices) are known to block UDP (for random ports besides the standard DNS 53 port etc.). </div><div>In these instances, it would be useful to have the possibility to build a fall back to TCP instead of UDP in a VPN service (or even the protocol itself).<br></div><div><br></div><div>Also, various researchers I have spoken to told me that sometimes they need a more reliable (TCP) connection, which is then more important than the speed UDP provides.</div><div><br></div><div>I&#39;m looking into the possibilities to deploy the WireGuard VPN protocol for an existing VPN service currently using OpenVPN, but I keep stumbling on the problem that WIreGuard does not support TCP.</div><div>I (think I) have read all posts regarding TCP for WireGuard, but it seems that there do not exists a good way to tackle this problem.</div><div><br></div><div>Could someone tell whether or not TCP would be a future additional option for WireGuard, and why (not)?</div><div><br></div><div>Also, do you think there actually does exist a neat and fitting solution for the problems I described?</div><div><br></div><div>Kind regards,</div><div><br></div><div>Breus Blaauwendraad<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 25 Sep 2018 at 17:54, StarBrilliant &lt;<a href="mailto:coder@poorlab.com" target="_blank">coder@poorlab.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(<a href="http://diyism.com" rel="noreferrer" target="_blank">http://diyism.com</a>)<br>
&lt;<a href="mailto:kexianbin@diyism.com" target="_blank">kexianbin@diyism.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Currently, I&#39;m using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),<br>
&gt; It&#39;s very stable on my home network than using wireguard alone,<br>
&gt; But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.<br>
&gt;<br>
&gt;<br>
&gt; from: <a href="https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145" rel="noreferrer" target="_blank">https://gist.github.com/<wbr>diyism/<wbr>1b80903a83776675031c73ae499438<wbr>d8#file-wireguard_config-txt-<wbr>L145</a><br>
&gt;<br>
&gt; $wget <a href="https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz" rel="noreferrer" target="_blank">https://github.com/wangyu-/<wbr>udp2raw-tunnel/releases/<wbr>download/20180830.2/udp2raw_<wbr>binaries.tar.gz</a><br>
&gt; $tar xzvf udp2raw_binaries.tar.gz<br>
&gt; $sudo cp udp2raw_amd64 /usr/bin/<br>
&gt; $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r&lt;server ip&gt;:24447 -a<br>
&gt; $cat /etc/wireguard/wg0.conf<br>
&gt; [Interface]<br>
&gt; PrivateKey = &lt;client privkey&gt;<br>
&gt; Address = <a href="http://10.0.0.3/32" rel="noreferrer" target="_blank">10.0.0.3/32</a><br>
&gt; ListenPort = 24447<br>
&gt; MTU = 1300<br>
&gt; PostUp = ip route add <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> dev wg0 &amp;&amp; wg set wg0 peer &lt;server pubkey&gt; allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt; PostDown = ip route del <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a><br>
&gt;<br>
&gt; [Peer]<br>
&gt; #10.0.0.1<br>
&gt; PublicKey = &lt;server pubkey&gt;<br>
&gt; Endpoint = <a href="http://127.0.0.2:24448" rel="noreferrer" target="_blank">127.0.0.2:24448</a><br>
&gt; #AllowedIPs = <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt;<br>
&gt; $sudo wg-quick down wg0 ; sudo wg-quick up wg0<br>
&gt; $ping 10.0.0.1<br>
&gt; 64 bytes from <a href="http://10.0.0.1" rel="noreferrer" target="_blank">10.0.0.1</a>: icmp_seq=2113 ttl=64 time=183 ms<br>
&gt; $sudo ip route add <a href="http://104.24.0.0/16" rel="noreferrer" target="_blank">104.24.0.0/16</a> dev wg0<br>
&gt; $ping <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a><br>
&gt; PING <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a> (104.24.20.50) 56(84) bytes of data.<br>
&gt; 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms<br>
&gt; $curl <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">http://myip.ipip.net</a><br>
&gt; IP:&lt;server ip&gt;<br>
&gt;<br>
&gt; #take care, &quot;MTU = 1300&quot; in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.<br>
<br>
<br>
Hello Kexianbin,<br>
<br>
This is an UNOFFICIAL response to your question. (But I think the<br>
official developers may have similar answers.)<br>
<br>
Wireguard probably will not accept an official integration to udp2raw.<br>
The reasons are:<br>
<br>
1) Wireguard wants to keep their kernel part code minimized, therefore<br>
easy for security auditing, and less bugs.The UDP protocol is actually<br>
very simple and straightforward. (By the way, if you intended to use<br>
Wireguard in China, be informed that this is a protocol that is very<br>
easy to block by the ISP.)<br>
<br>
2) I have read the source code of udp2raw. To be frank, the code is of<br>
very low quality. For this reason, I don&#39;t think udp2raw would be<br>
integrated into Wireguard unless it&#39;s rewritten.<br>
<br>
3) Udp2raw is not suitable for everyone or for every country. For<br>
example udp2raw may have problems passing middleboxes, which is common<br>
among satellite ISPs in Oceania. Middleboxes break and resemble TCP<br>
segments thus make udp2raw literally unusable. Also it is not<br>
congestion friendly (by design), so a massive deployment may affect<br>
the global Internet ecology.<br>
<br>
However the good news is, Wireguard provides an open control interface<br>
(see <a href="https://www.wireguard.com/xplatform/" rel="noreferrer" target="_blank">https://www.wireguard.com/<wbr>xplatform/</a> ). By utilizing this<br>
interface, we can develop an alternate frontend application other than<br>
the official command &quot;wg&quot;, that automatically sets up the kernel<br>
Wireguard kernel part and a userland udp2raw part, packaged as one<br>
application.<br>
<br>
<br>
My words for Wireguard developers:<br>
<br>
1) In case you may not know the udp2raw protocol, here is a<br>
description. Some ISPs in certain countries have strange QoS strategy<br>
that deprioritize UDP packets during network congestion, resulting a<br>
50% loss rate or more for UDP. The udp2raw protocol simulates a<br>
three-way TCP handshake and add TCP header to UDP packets so they will<br>
not be dropped. This protocol does not do congestion control or rate<br>
control, neither does it understand any TCP semantics. It&#39;s a dirty<br>
hack for dirty ISP, not suitable for everyone, but overwhelmingly<br>
useful in certain countries.<br>
<br>
2) Wireguard currently does not support binding to localhost. This is<br>
required for any third-party plugins upon Wireguard to work. We might<br>
need to consider binding to localhost an important feature to go in<br>
the near future.<br>
<br>
<br>
Best regards,<br>
StarBrilliant<br>
______________________________<wbr>_________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/<wbr>mailman/listinfo/wireguard</a><br>
</blockquote></div>
<br>______________________________<wbr>_________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/<wbr>mailman/listinfo/wireguard</a><br>
<br></blockquote></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
  2018-10-02  6:53     ` KeXianbin(http://diyism.com)
@ 2018-10-02  9:00       ` KeXianbin(http://diyism.com)
  0 siblings, 0 replies; 7+ messages in thread
From: KeXianbin(http://diyism.com) @ 2018-10-02  9:00 UTC (permalink / raw)
  To: Breus Blaauwendraad; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 8001 bytes --]

Sorry, I've got some help from udp2raw author, he/she tell me
udp2raw/faketcp needs a tcp handshake to build a tcp connection. So
Integrating FakeTCP into wireguard has no possibility to keep the
P2P/nat-traverse feature.
Finally I abandon/recall my Feature Request to integrating faketcp into
Wireguard. Maybe I can only integrate udp2raw into a personal Wireguard
android client to only connect the wireguard on my VPS(with a public
ip:port).

Malcolm Ke

On Oct 2, 2018 14:53, "KeXianbin(http://diyism.com)" <kexianbin@diyism.com>
wrote:

> The most important for me is to keep the P2P feature(auto NAT traverse) of
> wireguard while wrapping the wireguard UDP packets into udp2raw Fake
> TCP/Raw TCP packets. I think that keeping p2p feature of wireguard in
> wireguard+udp2raw is more complex or even impossible than Wireguard itself
> supports Fake TCP/Raw TCP packets: https://github.com/
> wangyu-/udp2raw-tunnel/issues/212
>
> On Oct 2, 2018 11:11, "Breus Blaauwendraad" <b.blaauwendraad@gmail.com>
> wrote:
>
>> Hello StarBrilliant,
>>
>> I think that what Kexianbin is trying to make clear is that it would be
>> nice if  native TCP support would be added in WireGuard.
>> He (probably) currently uses udp2raw as an alternative, because an
>> UDP-only VPN is sadly enough not working in every situation.
>> With him, there have been others pitching ideas on how to wrap the
>> WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.
>>
>> So, why would UDP for a VPN service not be enough?
>>
>> First of all, most VPN traffic obfuscation techniques require a TCP
>> connection instead of UDP.
>> VPN usage is particularly useful in countries were Internet censorship is
>> applied.
>> Since obfuscating VPN traffic comes with performance overhead, wrapping
>> the UDP in TCP and obfuscating this would kill the performance advantage
>> WireGuard has over other protocols.
>>
>> However, what is arguably more important: various corporate firewalls
>> (hotels/restaurants/offices) are known to block UDP (for random ports
>> besides the standard DNS 53 port etc.).
>> In these instances, it would be useful to have the possibility to build a
>> fall back to TCP instead of UDP in a VPN service (or even the protocol
>> itself).
>>
>> Also, various researchers I have spoken to told me that sometimes they
>> need a more reliable (TCP) connection, which is then more important than
>> the speed UDP provides.
>>
>> I'm looking into the possibilities to deploy the WireGuard VPN protocol
>> for an existing VPN service currently using OpenVPN, but I keep stumbling
>> on the problem that WIreGuard does not support TCP.
>> I (think I) have read all posts regarding TCP for WireGuard, but it seems
>> that there do not exists a good way to tackle this problem.
>>
>> Could someone tell whether or not TCP would be a future additional option
>> for WireGuard, and why (not)?
>>
>> Also, do you think there actually does exist a neat and fitting solution
>> for the problems I described?
>>
>> Kind regards,
>>
>> Breus Blaauwendraad
>>
>>
>> On Tue, 25 Sep 2018 at 17:54, StarBrilliant <coder@poorlab.com> wrote:
>>
>>> On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(http://diyism.com)
>>> <kexianbin@diyism.com> wrote:
>>> >
>>> > Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic
>>> into raw tcp (config files as follows),
>>> > It's very stable on my home network than using wireguard alone,
>>> > But if we can integrate RAW TCP feature into wireguard, it would
>>> significantly improve performance and stability for end users.
>>> >
>>> >
>>> > from: https://gist.github.com/diyism/1b80903a83776675031c73ae49943
>>> 8d8#file-wireguard_config-txt-L145
>>> >
>>> > $wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/
>>> 20180830.2/udp2raw_binaries.tar.gz
>>> > $tar xzvf udp2raw_binaries.tar.gz
>>> > $sudo cp udp2raw_amd64 /usr/bin/
>>> > $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
>>> > $cat /etc/wireguard/wg0.conf
>>> > [Interface]
>>> > PrivateKey = <client privkey>
>>> > Address = 10.0.0.3/32
>>> > ListenPort = 24447
>>> > MTU = 1300
>>> > PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <server
>>> pubkey> allowed-ips 0.0.0.0/0
>>> > PostDown = ip route del 10.0.0.0/24
>>> >
>>> > [Peer]
>>> > #10.0.0.1
>>> > PublicKey = <server pubkey>
>>> > Endpoint = 127.0.0.2:24448
>>> > #AllowedIPs = 0.0.0.0/0
>>> >
>>> > $sudo wg-quick down wg0 ; sudo wg-quick up wg0
>>> > $ping 10.0.0.1
>>> > 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
>>> > $sudo ip route add 104.24.0.0/16 dev wg0
>>> > $ping myip.ipip.net
>>> > PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
>>> > 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185
>>> ms
>>> > $curl http://myip.ipip.net
>>> > IP:<server ip>
>>> >
>>> > #take care, "MTU = 1300" in wg0.conf is needed when wireguard over
>>> udp2raw, or else most https requests will be blocked because of mtu problem.
>>>
>>>
>>> Hello Kexianbin,
>>>
>>> This is an UNOFFICIAL response to your question. (But I think the
>>> official developers may have similar answers.)
>>>
>>> Wireguard probably will not accept an official integration to udp2raw.
>>> The reasons are:
>>>
>>> 1) Wireguard wants to keep their kernel part code minimized, therefore
>>> easy for security auditing, and less bugs.The UDP protocol is actually
>>> very simple and straightforward. (By the way, if you intended to use
>>> Wireguard in China, be informed that this is a protocol that is very
>>> easy to block by the ISP.)
>>>
>>> 2) I have read the source code of udp2raw. To be frank, the code is of
>>> very low quality. For this reason, I don't think udp2raw would be
>>> integrated into Wireguard unless it's rewritten.
>>>
>>> 3) Udp2raw is not suitable for everyone or for every country. For
>>> example udp2raw may have problems passing middleboxes, which is common
>>> among satellite ISPs in Oceania. Middleboxes break and resemble TCP
>>> segments thus make udp2raw literally unusable. Also it is not
>>> congestion friendly (by design), so a massive deployment may affect
>>> the global Internet ecology.
>>>
>>> However the good news is, Wireguard provides an open control interface
>>> (see https://www.wireguard.com/xplatform/ ). By utilizing this
>>> interface, we can develop an alternate frontend application other than
>>> the official command "wg", that automatically sets up the kernel
>>> Wireguard kernel part and a userland udp2raw part, packaged as one
>>> application.
>>>
>>>
>>> My words for Wireguard developers:
>>>
>>> 1) In case you may not know the udp2raw protocol, here is a
>>> description. Some ISPs in certain countries have strange QoS strategy
>>> that deprioritize UDP packets during network congestion, resulting a
>>> 50% loss rate or more for UDP. The udp2raw protocol simulates a
>>> three-way TCP handshake and add TCP header to UDP packets so they will
>>> not be dropped. This protocol does not do congestion control or rate
>>> control, neither does it understand any TCP semantics. It's a dirty
>>> hack for dirty ISP, not suitable for everyone, but overwhelmingly
>>> useful in certain countries.
>>>
>>> 2) Wireguard currently does not support binding to localhost. This is
>>> required for any third-party plugins upon Wireguard to work. We might
>>> need to consider binding to localhost an important feature to go in
>>> the near future.
>>>
>>>
>>> Best regards,
>>> StarBrilliant
>>> _______________________________________________
>>> WireGuard mailing list
>>> WireGuard@lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>>
>>
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
>>

[-- Attachment #1.2: Type: text/html, Size: 11407 bytes --]

<div dir="auto">Sorry, I&#39;ve got some help from udp2raw author, he/she tell me udp2raw/faketcp needs a tcp handshake to build a tcp connection. So Integrating FakeTCP into wireguard has no possibility to keep the P2P/nat-traverse feature.<div dir="auto">Finally I abandon/recall my Feature Request to integrating faketcp into Wireguard. Maybe I can only integrate udp2raw into a personal Wireguard android client to only connect the wireguard on my VPS(with a public ip:port).</div><div dir="auto"><br></div><div dir="auto">Malcolm Ke</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Oct 2, 2018 14:53, &quot;KeXianbin(<a href="http://diyism.com">http://diyism.com</a>)&quot; &lt;<a href="mailto:kexianbin@diyism.com">kexianbin@diyism.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">The most important for me is to keep the P2P feature(auto NAT traverse) of wireguard while wrapping the wireguard UDP packets into udp2raw Fake TCP/Raw TCP packets. <span style="color:rgb(36,41,46);font-family:-apple-system,blinkmacsystemfont,&quot;segoe ui&quot;,helvetica,arial,sans-serif,&quot;apple color emoji&quot;,&quot;segoe ui emoji&quot;,&quot;segoe ui symbol&quot;;font-size:14px;background-color:rgb(255,255,255)">I think that keeping p2p feature of wireguard in wireguard+udp2raw is more complex or even impossible than Wireguard itself supports Fake TCP/Raw TCP packets: </span><font color="#24292e" face="-apple-system, blinkmacsystemfont, segoe ui, helvetica, arial, sans-serif, apple color emoji, segoe ui emoji, segoe ui symbol"><span style="font-size:14px"><a href="https://github.com/wangyu-/udp2raw-tunnel/issues/212" target="_blank">https://github.com/<wbr>wangyu-/udp2raw-tunnel/issues/<wbr>212</a></span></font></div><div class="gmail_extra"><br><div class="gmail_quote">On Oct 2, 2018 11:11, &quot;Breus Blaauwendraad&quot; &lt;<a href="mailto:b.blaauwendraad@gmail.com" target="_blank">b.blaauwendraad@gmail.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello StarBrilliant,</div><div><br></div><div>I think that what 
Kexianbin is trying to make clear is that it would be nice if  native TCP support would be added in WireGuard.</div><div>He (probably) currently uses udp2raw as an alternative, because an UDP-only VPN is sadly enough not working in every situation.</div><div>With him, there have been others pitching ideas on how to wrap the WireGuard UDP traffic in TCP, which in my opinion, is a poor idea.</div><div><br></div><div>So, why would UDP for a VPN service not be enough?<br></div><div><br></div><div>First of all, most VPN traffic obfuscation techniques require a TCP connection instead of UDP. <br></div><div>VPN usage is particularly useful in countries were Internet censorship is applied.<br></div><div>Since obfuscating VPN traffic comes with performance overhead, wrapping the UDP in TCP and obfuscating this would kill the performance advantage WireGuard has over other protocols.<br></div><div><br></div><div>However, what is arguably more important: various corporate firewalls (hotels/restaurants/offices) are known to block UDP (for random ports besides the standard DNS 53 port etc.). </div><div>In these instances, it would be useful to have the possibility to build a fall back to TCP instead of UDP in a VPN service (or even the protocol itself).<br></div><div><br></div><div>Also, various researchers I have spoken to told me that sometimes they need a more reliable (TCP) connection, which is then more important than the speed UDP provides.</div><div><br></div><div>I&#39;m looking into the possibilities to deploy the WireGuard VPN protocol for an existing VPN service currently using OpenVPN, but I keep stumbling on the problem that WIreGuard does not support TCP.</div><div>I (think I) have read all posts regarding TCP for WireGuard, but it seems that there do not exists a good way to tackle this problem.</div><div><br></div><div>Could someone tell whether or not TCP would be a future additional option for WireGuard, and why (not)?</div><div><br></div><div>Also, do you think there actually does exist a neat and fitting solution for the problems I described?</div><div><br></div><div>Kind regards,</div><div><br></div><div>Breus Blaauwendraad<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 25 Sep 2018 at 17:54, StarBrilliant &lt;<a href="mailto:coder@poorlab.com" target="_blank">coder@poorlab.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(<a href="http://diyism.com" rel="noreferrer" target="_blank">http://diyism.com</a>)<br>
&lt;<a href="mailto:kexianbin@diyism.com" target="_blank">kexianbin@diyism.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Currently, I&#39;m using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),<br>
&gt; It&#39;s very stable on my home network than using wireguard alone,<br>
&gt; But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.<br>
&gt;<br>
&gt;<br>
&gt; from: <a href="https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145" rel="noreferrer" target="_blank">https://gist.github.com/diyism<wbr>/1b80903a83776675031c73ae49943<wbr>8d8#file-wireguard_config-txt-<wbr>L145</a><br>
&gt;<br>
&gt; $wget <a href="https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz" rel="noreferrer" target="_blank">https://github.com/wangyu-/udp<wbr>2raw-tunnel/releases/download/<wbr>20180830.2/udp2raw_binaries.<wbr>tar.gz</a><br>
&gt; $tar xzvf udp2raw_binaries.tar.gz<br>
&gt; $sudo cp udp2raw_amd64 /usr/bin/<br>
&gt; $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r&lt;server ip&gt;:24447 -a<br>
&gt; $cat /etc/wireguard/wg0.conf<br>
&gt; [Interface]<br>
&gt; PrivateKey = &lt;client privkey&gt;<br>
&gt; Address = <a href="http://10.0.0.3/32" rel="noreferrer" target="_blank">10.0.0.3/32</a><br>
&gt; ListenPort = 24447<br>
&gt; MTU = 1300<br>
&gt; PostUp = ip route add <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> dev wg0 &amp;&amp; wg set wg0 peer &lt;server pubkey&gt; allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt; PostDown = ip route del <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a><br>
&gt;<br>
&gt; [Peer]<br>
&gt; #10.0.0.1<br>
&gt; PublicKey = &lt;server pubkey&gt;<br>
&gt; Endpoint = <a href="http://127.0.0.2:24448" rel="noreferrer" target="_blank">127.0.0.2:24448</a><br>
&gt; #AllowedIPs = <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
&gt;<br>
&gt; $sudo wg-quick down wg0 ; sudo wg-quick up wg0<br>
&gt; $ping 10.0.0.1<br>
&gt; 64 bytes from <a href="http://10.0.0.1" rel="noreferrer" target="_blank">10.0.0.1</a>: icmp_seq=2113 ttl=64 time=183 ms<br>
&gt; $sudo ip route add <a href="http://104.24.0.0/16" rel="noreferrer" target="_blank">104.24.0.0/16</a> dev wg0<br>
&gt; $ping <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a><br>
&gt; PING <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a> (104.24.20.50) 56(84) bytes of data.<br>
&gt; 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms<br>
&gt; $curl <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">http://myip.ipip.net</a><br>
&gt; IP:&lt;server ip&gt;<br>
&gt;<br>
&gt; #take care, &quot;MTU = 1300&quot; in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.<br>
<br>
<br>
Hello Kexianbin,<br>
<br>
This is an UNOFFICIAL response to your question. (But I think the<br>
official developers may have similar answers.)<br>
<br>
Wireguard probably will not accept an official integration to udp2raw.<br>
The reasons are:<br>
<br>
1) Wireguard wants to keep their kernel part code minimized, therefore<br>
easy for security auditing, and less bugs.The UDP protocol is actually<br>
very simple and straightforward. (By the way, if you intended to use<br>
Wireguard in China, be informed that this is a protocol that is very<br>
easy to block by the ISP.)<br>
<br>
2) I have read the source code of udp2raw. To be frank, the code is of<br>
very low quality. For this reason, I don&#39;t think udp2raw would be<br>
integrated into Wireguard unless it&#39;s rewritten.<br>
<br>
3) Udp2raw is not suitable for everyone or for every country. For<br>
example udp2raw may have problems passing middleboxes, which is common<br>
among satellite ISPs in Oceania. Middleboxes break and resemble TCP<br>
segments thus make udp2raw literally unusable. Also it is not<br>
congestion friendly (by design), so a massive deployment may affect<br>
the global Internet ecology.<br>
<br>
However the good news is, Wireguard provides an open control interface<br>
(see <a href="https://www.wireguard.com/xplatform/" rel="noreferrer" target="_blank">https://www.wireguard.com/xpla<wbr>tform/</a> ). By utilizing this<br>
interface, we can develop an alternate frontend application other than<br>
the official command &quot;wg&quot;, that automatically sets up the kernel<br>
Wireguard kernel part and a userland udp2raw part, packaged as one<br>
application.<br>
<br>
<br>
My words for Wireguard developers:<br>
<br>
1) In case you may not know the udp2raw protocol, here is a<br>
description. Some ISPs in certain countries have strange QoS strategy<br>
that deprioritize UDP packets during network congestion, resulting a<br>
50% loss rate or more for UDP. The udp2raw protocol simulates a<br>
three-way TCP handshake and add TCP header to UDP packets so they will<br>
not be dropped. This protocol does not do congestion control or rate<br>
control, neither does it understand any TCP semantics. It&#39;s a dirty<br>
hack for dirty ISP, not suitable for everyone, but overwhelmingly<br>
useful in certain countries.<br>
<br>
2) Wireguard currently does not support binding to localhost. This is<br>
required for any third-party plugins upon Wireguard to work. We might<br>
need to consider binding to localhost an important feature to go in<br>
the near future.<br>
<br>
<br>
Best regards,<br>
StarBrilliant<br>
______________________________<wbr>_________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailma<wbr>n/listinfo/wireguard</a><br>
</blockquote></div>
<br>______________________________<wbr>_________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailma<wbr>n/listinfo/wireguard</a><br>
<br></blockquote></div></div>
</blockquote></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [feature request] To support "Wireguard over raw TCP"
@ 2018-09-26  7:14 Saeid Akbari
  0 siblings, 0 replies; 7+ messages in thread
From: Saeid Akbari @ 2018-09-26  7:14 UTC (permalink / raw)
  To: StarBrilliant; +Cc: wireguard

Hi,

> 2) Wireguard currently does not support binding to localhost. This is
> required for any third-party plugins upon Wireguard to work. We might
> need to consider binding to localhost an important feature to go in
> the near future.

FYI,
I just recently used WireGuard with udp2raw-tunnel successfully. Both 
localhost endpoint on the client side, and localhost endpoint on the server-
side worked like a charm. Although I understand you can't "bind" the udp 
socket to 127.0.0.1 to restrict its outside usage, but it works on 0.0.0.0 
regardless.


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAKVinOU6xpbJNfCPAecX7kOgk_PbCzThYtER9d3ax1h6k3DGTw@mail.gmail.com>
2018-09-25 15:52 ` [feature request] To support "Wireguard over raw TCP" StarBrilliant
2018-09-25 16:29   ` Breus Blaauwendraad
2018-10-02  6:40     ` Matthias Urlichs
2018-10-02  6:53     ` KeXianbin(http://diyism.com)
2018-10-02  9:00       ` KeXianbin(http://diyism.com)
     [not found]   ` <CAKVinOXXqMDRZcjVbOS4-iMBONdiYKaho8e3tEAZO+JKOZ_Gxw@mail.gmail.com>
2018-09-25 20:25     ` Michael Rash
2018-09-26  7:14 Saeid Akbari

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox