proxy wireguard over TCP/TLS

Go to file

moparisthebest 1650cefa0d Support falling back to environment variables if command line arguments don't exist		2019-12-21 01:48:48 -05:00
ci	Added TLS --pinnedpubkey support	2019-12-17 01:22:26 -05:00
src	Support falling back to environment variables if command line arguments don't exist	2019-12-21 01:48:48 -05:00
.gitignore	Initial Commit	2019-07-12 01:02:41 -04:00
.travis.yml	CI: stop releasing archives, just release binaries	2019-12-16 22:33:26 -05:00
appveyor.yml	Added TLS --pinnedpubkey support	2019-12-17 01:22:26 -05:00
Cargo.lock	CI: depending on platform build without, with system, or with vendored TLS	2019-12-16 19:12:02 -05:00
Cargo.toml	Put verbose byte count output behind verbose feature	2019-12-17 01:33:42 -05:00
LICENSE-APACHE	Initial Commit	2019-07-12 01:02:41 -04:00
LICENSE-MIT	Initial Commit	2019-07-12 01:02:41 -04:00
README.md	Support falling back to environment variables if command line arguments don't exist	2019-12-21 01:48:48 -05:00
test.sh	Added TLS --pinnedpubkey support	2019-12-17 01:22:26 -05:00

README.md

wireguard-proxy

Proxy wireguard UDP packets over TCP/TLS

wireguard-proxy has 2 modes:

server-side daemon to accept TCP/TLS connections from multiple clients and pipe data to and from the specified UDP port
client-side daemon that accepts UDP packets on a local port from a single client, connects to a single remote TCP/TLS port, and pipes data between them

$ wireguard-proxy -h
usage: wireguard-proxy [options...]
 Client Mode (requires --tcp-target):
 -tt, --tcp-target <ip:port>     TCP target to send packets to, where
                                 wireguard-proxy server is running
 -uh, --udp-host <ip:port>       UDP host to listen on, point wireguard
                                 client here, default: 127.0.0.1:51820
 --tls                           use TLS when connecting to tcp-target
                                 WARNING: authenticates/verifies nothing
                                 without --pinnedpubkey below!!
 --pinnedpubkey <sha256_hashes>  Public key to verify peer against,
                                 format is any number of base64 encoded
                                 sha256 hashes preceded by "sha256//"
                                 and separated by ";". Identical to curl's
                                 --pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
 --tls-hostname                  send this in SNI instead of host
                                 from --tcp-target, useful for avoiding
                                 DNS lookup on connect

 Server Mode (requires --tcp-host):
 -th, --tcp-host <ip:port>                TCP host to listen on
 -ut, --udp-target <ip:port>              UDP target to send packets to, where
                                          wireguard server is running,
                                          default: 127.0.0.1:51820
 -ur, --udp-bind-host-range <ip:low-high> UDP host and port range to bind to,
                                          one port per TCP connection, to
                                          listen on for UDP packets to send
                                          back over the TCP connection,
                                          default: 127.0.0.1:30000-40000
 -tk, --tls-key <ip:port>                 TLS key to listen with,
                                          requires --tls-cert also
 -tc, --tls-cert <ip:port>                TLS cert to listen with,
                                          requires --tls-key also

 Common Options:
 -h, --help                      print this usage text
 -st, --socket-timeout <seconds> Socket timeout (time to wait for data)
                                 before terminating, default: 0

 Environment variable support:
 For every command line option, short and long, if you replace all
 leading - with WGP_, and replace all remaining - with _, and uppercase
 the whole thing, if you don't specify that command line option we will
 read that environment variable for the argument. boolean arguments are
 true if anything but unset, empty, 0, or false.
 Examples:
   --tcp-target ARG is WGP_TCP_TARGET=ARG
   --socket-timeout 5 is WGP_SOCKET_TIMEOUT=5
   --tls is WGP_TLS=1 or WGP_TLS=true
   WGP_TLS=0 or WGP_TLS=false would be like not sending --tls

Binaries:

releases has static builds for most platforms performed by travis-ci and appveyor courtesy of trust
Arch Linux AUR wireguard-proxy and wireguard-proxy-git

Building:

cargo build --release - minimal build without TLS support, no dependencies
cargo build --release --feature tls - links to system openssl
cargo build --release --feature openssl_vendored - compiles vendored openssl and link to it

Testing:

udp-test is a utility to send a UDP packet and then receive a UDP packet and ensure they are the same, this verifies packets sent through proxy server/client are unmolested
udp-test -s runs udp-test against itself through proxy server/client by spawning actual binaries
udp-test -is runs udp-test against itself through proxy server/client in same executable by using library, so does not test command line parsing etc
test.sh runs udp-test against itself, the udp-test self tests above, and through proxy server/client in the shell script

Testing with GNU netcat:

nc -vulp 51820 listen on udp like wireguard would
nc -u -p 51821 127.0.0.1 51820 connect directly to local udp wireguard port to send data to 51820 from port 51821
nc -vlp 5555 listen on tcp like wireguard-proxy would
nc 127.0.0.1 5555 connect directly to local tcp wireguard-proxy port to send/recieve data
so to test through wireguard-proxy run first and last command while it's running, type in both places

License

This project is licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in die by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.