4.7 KiB
4.7 KiB
wireguard-proxy
Proxy wireguard UDP packets over TCP/TLS
wireguard-proxy
has 2 modes:
- server-side daemon to accept TCP/TLS connections from multiple clients and pipe data to and from the specified UDP port
- client-side daemon that accepts UDP packets on a local port from a single client, connects to a single remote TCP/TLS port, and pipes data between them
$ wireguard-proxy -h
usage: wireguard-proxy [options...]
Client Mode (requires --tcp-target):
-tt, --tcp-target <ip:port> TCP target to send packets to, where
wireguard-proxy server is running
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard
client here, default: 127.0.0.1:51820
--tls use TLS when connecting to tcp-target
WARNING: currently verifies nothing!
--tls-hostname send this in SNI instead of host
from --tcp-target, useful for avoiding
DNS lookup on connect
Server Mode (requires --tcp-host):
-th, --tcp-host <ip:port> TCP host to listen on
-ut, --udp-target <ip:port> UDP target to send packets to, where
wireguard server is running,
default: 127.0.0.1:51820
-ur, --udp-bind-host-range <ip:low-high> UDP host and port range to bind to,
one port per TCP connection, to
listen on for UDP packets to send
back over the TCP connection,
default: 127.0.0.1:30000-40000
-tk, --tls-key <ip:port> TLS key to listen with,
requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also
Common Options:
-h, --help print this usage text
-st, --socket-timeout <seconds> Socket timeout (time to wait for data)
before terminating, default: 0
Binaries:
- releases has static builds for most platforms performed by travis-ci and appveyor courtesy of trust
- Arch Linux AUR wireguard-proxy and wireguard-proxy-git
Building:
cargo build --release
- minimal build without TLS support, no dependenciescargo build --release --feature tls
- links to system opensslcargo build --release --feature openssl_vendored
- compiles vendored openssl and link to it
Testing:
udp-test
is a utility to send a UDP packet and then receive a UDP packet and ensure they are the same, this verifies packets sent through proxy server/client are unmolestedudp-test -s
runs udp-test against itself through proxy server/client by spawning actual binariesudp-test -is
runs udp-test against itself through proxy server/client in same executable by using library, so does not test command line parsing etctest.sh
runs udp-test against itself, the udp-test self tests above, and through proxy server/client in the shell script
Testing with GNU netcat:
nc -vulp 51820
listen on udp like wireguard wouldnc -u -p 51821 127.0.0.1 51820
connect directly to local udp wireguard port to send data to 51820 from port 51821nc -vlp 5555
listen on tcp like wireguard-proxy wouldnc 127.0.0.1 5555
connect directly to local tcp wireguard-proxy port to send/recieve data- so to test through wireguard-proxy run first and last command while it's running, type in both places
License
This project is licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in die by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.