erebe/wstunnel

i can not connect to wireguard with wstunnel in windows

evangelme opened this issue · 8 comments

my wireguard conf client is:
[Interface]
PrivateKey ="-------"
Address = 172.16.0.2/32
DNS = 8.8.8.8
MTU = 1300

[Peer]
PublicKey = "----------"
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:51820

and my command for ws tunnel is
start wstunnel.exe client --http-upgrade-path-prefix wstunnel -L "udp://127.0.0.1:51820:127.0.0.1:51820" "wss://85.239.61.247:443"
when i first start wstunnel

Opening TCP connection to 85.239.61.247:443
Doing TLS handshake using SNI IpAddress(85.239.61.247) with the server 85.239.61.247:443

so wstunnel run but when i connect to wireguard it block the wstunnel and i have no connection what should i do?

Endpoint = 127.0.0.1:51820
localhost may be resolve ipv6

worked on linux
wstunnel client -L 'udp://51820:127.0.0.1:51820?timeout_sec=0' wss://85.239.61.247:443 --http-upgrade-path-prefix=blabla

no it did not fix the problem but tnx for reply man
when i connect to wireguard wstunnel dose not work

Be sure to disable the kill switch like in #247 (comment)

and don't forget to add a static route to your server.

i try this as well but it dose not work but tnx for reply

Are you sure you have set a static route to your server ?
If you have done it, and it still does not works, it mean your wireguard is not correctly setup. Try using a specific range of Allowed IPs instead of 0.0.0.0/0 at first

i find out the problem when you connect the wireguard it block the server wstunnel ip you should use
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

for allowed ip for example if your server's ip is: 8.8.8.8 you should block wireguard 8.8.8.8 ip for example in this situation your AllowedIPs should be
AllowedIPs = 0.0.0.0/5, 8.0.0.0/13, 8.8.0.0/21, 8.8.8.0/29, 8.8.8.9/32, 8.8.8.10/31, 8.8.8.12/30, 8.8.8.16/28, 8.8.8.32/27, 8.8.8.64/26, 8.8.8.128/25, 8.8.9.0/24, 8.8.10.0/23, 8.8.12.0/22, 8.8.16.0/20, 8.8.32.0/19, 8.8.64.0/18, 8.8.128.0/17, 8.9.0.0/16, 8.10.0.0/15, 8.12.0.0/14, 8.16.0.0/12, 8.32.0.0/11, 8.64.0.0/10, 8.128.0.0/9, 9.0.0.0/8, 10.0.0.0/7, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1
to let the client side connect to server.
you can do ip route for windows as well but it is harder.

@erebe thankyou for your great job realllly tnx. do you have plan to do it for andorid and ios?

Hey there. I've encountered the same issue and tried the suggested solutions, namely adding a static route to the system, and allowing this bunch of IPs above.

Can you please verify that I do it correctly?

Executed in CMD:
route ADD 147.45.187.144 MASK 255.255.255.255 192.168.1.1 where 192.168.1.1 is my router. The site is available form the browser OK.
Executed in new CMD:
wstunnel client --http-upgrade-path-prefix "wstunnel" -L udp://127.0.0.1:51820:127.0.0.1:51820 wss://147.45.187.144:443
Wireguard config:

[Peer]
AllowedIPs = 0.0.0.0/5, 8.0.0.0/13, 8.8.0.0/21, ..., 64.0.0.0/2, 128.0.0.0/1

Console client output:

C:\Windows\system32>wstunnel client --http-upgrade-path-prefix "wstunnel" -L udp://127.0.0.1:51820:127.0.0.1:51820 wss://147.45.187.144:443
←[2m2024-05-11T19:20:03.441834Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m Starting UDP server listening cnx on 127.0.0.1:51820 with cnx timeout of 30s
←[2m2024-05-11T19:20:08.322355Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m New UDP connection from 127.0.0.1:52584
←[2m2024-05-11T19:20:08.322698Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:08.390923Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:08.858382Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:08.930946Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:09.803710Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:09.868624Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:11.536315Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:11.602571Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:14.872682Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:14.939026Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:21.407804Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:21.479816Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:34.353582Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to 147.45.187.144:443
←[2m2024-05-11T19:20:34.422334Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI IpAddress(147.45.187.144) with the server 147.45.187.144:443
←[2m2024-05-11T19:20:38.324841Z←[0m ←[31mERROR←[0m ←[1mtunnel←[0m←[1m{←[0m←[3mid←[0m←[2m=←[0m"018f6919-2b82-7026-99fb-0b7bf26e4921" ←[3mremote←[0m←[2m=←[0m"127.0.0.1:51820"←[1m}←[0m←[2m:←[0m ←[2mwstunnel::tunnel::client←[0m←[2m:←[0m failed to get a connection to the server from the pool: TimedOut

I fixed it on Windows 11 by this steps:
Run the server and the client like as it described in the main wiki page

On the Windows client side:

  1. Add route route ADD <your server ip> <your gateway>
    If you don't know a gateway, you can check it by command route print
    For example: route ADD 132.69.69.69 192.168.1.1 it will pick automatically an interface for the given gateway

  2. Uncheck flag on Wireguard client "Block untunneled traffic"

No need to do the step with AllowedIPs as described above.