Development discussion of WireGuard
 help / color / mirror / Atom feed
* [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
@ 2020-10-04 12:11 Rudi C
  2020-10-09 13:22 ` Roman Mamedov
  2020-10-09 14:26 ` Max R. P. Grossmann
  0 siblings, 2 replies; 11+ messages in thread
From: Rudi C @ 2020-10-04 12:11 UTC (permalink / raw)
  To: wireguard

I use Wireguard to circumvent Iran's censorship. A major problem with
it is that it's very hard to selectively proxy specific domains/apps
through Wireguard, while leaving others alone. This is an essential
feature for Iran's internet, as:
1. The connection is terrible, so avoiding using the proxy for
uncensored sites helps a lot.
2. International traffic is 2x more expensive, so avoiding the proxy
for internal traffic is very beneficial.
3. Some internal sites ban international IPs and need Iranian IPs.

The easiest way to solve this program, as far as I understand, is to
add the ability to expose the tunnel as a socks5 proxy on the client
side. This is the approach that shadowsocks, v2ray, etc have adopted.
There are mature solutions to selectively routing traffic through a
socks proxy.

I searched around, and there are docker containers that already do
this wireguard-to-socks thing; But running docker is expensive on a
non-Linux machine, so it'd be much appreciated if you could support
exposing socks and HTTP proxy servers natively.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-04 12:11 [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client? Rudi C
@ 2020-10-09 13:22 ` Roman Mamedov
  2020-10-09 13:30   ` Rudi C
  2020-10-09 14:19   ` Chris
  2020-10-09 14:26 ` Max R. P. Grossmann
  1 sibling, 2 replies; 11+ messages in thread
From: Roman Mamedov @ 2020-10-09 13:22 UTC (permalink / raw)
  To: Rudi C; +Cc: wireguard

On Sun, 4 Oct 2020 15:41:52 +0330
Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:

> I use Wireguard to circumvent Iran's censorship. A major problem with
> it is that it's very hard to selectively proxy specific domains/apps
> through Wireguard, while leaving others alone. This is an essential
> feature for Iran's internet, as:
> 1. The connection is terrible, so avoiding using the proxy for
> uncensored sites helps a lot.
> 2. International traffic is 2x more expensive, so avoiding the proxy
> for internal traffic is very beneficial.
> 3. Some internal sites ban international IPs and need Iranian IPs.
> 
> The easiest way to solve this program, as far as I understand, is to
> add the ability to expose the tunnel as a socks5 proxy on the client
> side. This is the approach that shadowsocks, v2ray, etc have adopted.
> There are mature solutions to selectively routing traffic through a
> socks proxy.
> 
> I searched around, and there are docker containers that already do
> this wireguard-to-socks thing; But running docker is expensive on a
> non-Linux machine, so it'd be much appreciated if you could support
> exposing socks and HTTP proxy servers natively.

If you tunnel to a VPS abroad, just install a SOCKS proxy on the remote end.
A good one is [1]. Then set the remote end's in-VPN IP and proxy port in your
apps to use.

[1] https://socks-relay.sourceforge.io/

To separate which sites use which proxy (or no proxy) SwitchSharp for Chrome
and FoxyProxy for Firefox, but you probably already know about those.

In case you meant connecting to commercial "VPN" services, then yes it
becomes a bit more complex, but you can try srelay on the local machine and
use the "-J" option, "outbound interface name". But I'm not sure if that would
just work on its own, or also needs some help from ip(6)tables or ip-rule.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 13:22 ` Roman Mamedov
@ 2020-10-09 13:30   ` Rudi C
  2020-10-09 13:34     ` Roman Mamedov
  2020-10-09 14:19   ` Chris
  1 sibling, 1 reply; 11+ messages in thread
From: Rudi C @ 2020-10-09 13:30 UTC (permalink / raw)
  To: Roman Mamedov; +Cc: wireguard

> On Fri, Oct 9, 2020 at 4:52 PM Roman Mamedov <rm@romanrm.net> wrote:
> just install a SOCKS proxy

These simple solutions get blocked by the DPI. (I do have my own VPS.)

> you can try srelay on the local machine and
use the "-J" option, "outbound interface name". But I'm not sure if that would
just work on its own, or also needs some help from ip(6)tables or ip-rule.

Can you give me some pointers to what I should study to grok these? I
know the basic TCP/IP theoretical stuff, but I have almost no
experience in practical networking.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 13:30   ` Rudi C
@ 2020-10-09 13:34     ` Roman Mamedov
  2020-10-09 13:46       ` Rudi C
  0 siblings, 1 reply; 11+ messages in thread
From: Roman Mamedov @ 2020-10-09 13:34 UTC (permalink / raw)
  To: Rudi C; +Cc: wireguard

On Fri, 9 Oct 2020 17:00:31 +0330
Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:

> > On Fri, Oct 9, 2020 at 4:52 PM Roman Mamedov <rm@romanrm.net> wrote:
> > just install a SOCKS proxy
> 
> These simple solutions get blocked by the DPI. (I do have my own VPS.)

Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
of your VPS, all communication with the SOCKS proxy installed on the VPS will
happen via the WireGuard tunnel. No DPI can look into that.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 13:34     ` Roman Mamedov
@ 2020-10-09 13:46       ` Rudi C
  2020-10-09 14:05         ` Roman Mamedov
  0 siblings, 1 reply; 11+ messages in thread
From: Rudi C @ 2020-10-09 13:46 UTC (permalink / raw)
  To: Roman Mamedov; +Cc: wireguard

> On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm@romanrm.net> wrote:
> Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> of your VPS, all communication with the SOCKS proxy installed on the VPS will
> happen via the WireGuard tunnel. No DPI can look into that.

You're right! Some questions:
1. What should I do client-side so that wireguard only covers my VPS's
IP (and does not otherwise route traffic)? Will `AllowedIPs =
SERVER_IP/32` do it?
2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?
3. I use ufw for the firewall on the server. Will ufw block my local
machine? If not, with what IP should I set ufw rules? (My local
machine doesn't have a static IP.) Of course, I could alternatively
expose the socks proxy to the world with a password; How secure will
that be?

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 13:46       ` Rudi C
@ 2020-10-09 14:05         ` Roman Mamedov
  2020-10-09 14:08           ` David Kerr
  0 siblings, 1 reply; 11+ messages in thread
From: Roman Mamedov @ 2020-10-09 14:05 UTC (permalink / raw)
  To: Rudi C; +Cc: wireguard

On Fri, 9 Oct 2020 17:16:18 +0330
Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:

> > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm@romanrm.net> wrote:
> > Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> > of your VPS, all communication with the SOCKS proxy installed on the VPS will
> > happen via the WireGuard tunnel. No DPI can look into that.
> 
> You're right! Some questions:
> 1. What should I do client-side so that wireguard only covers my VPS's
> IP (and does not otherwise route traffic)? Will `AllowedIPs =
> SERVER_IP/32` do it?

SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0
and ::/0 from AllowedIPs.

> 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?

Yes. You can confirm via "ip addr list dev wgX" on the server.

> 3. I use ufw for the firewall on the server. Will ufw block my local
> machine? If not, with what IP should I set ufw rules? (My local
> machine doesn't have a static IP.) Of course, I could alternatively
> expose the socks proxy to the world with a password; How secure will
> that be?

Sorry, not familiar with ufw; generally you need to allow only connections
from the WG interface, or from the internal IP range (or just the "Address ="
of the client), and block all others.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 14:05         ` Roman Mamedov
@ 2020-10-09 14:08           ` David Kerr
  0 siblings, 0 replies; 11+ messages in thread
From: David Kerr @ 2020-10-09 14:08 UTC (permalink / raw)
  To: Roman Mamedov; +Cc: Rudi C, wireguard

Do you have a linux-based gateway you can manage yourself?  And that
gateway has dnsmasq and iptables/netfilter available?  If yes then you
can selectively route traffic over a wireguard interface and leave the
rest to go to default.

Warning... this is expert stuff...

in dnsmasq.static set list of all the domains you want to send over wireguard...

ipset=/example.com/VPN_LIST_IPV4,VPN_LIST_IPV6
ipset=/example.org/VPN_LIST_IPV4,VPN_LIST_IPV6

Export some environment variables...
VPN2IF="wg2"
VPN2IP="10.11.12.13"
VPN2DNS="8.8.8.8"
INTIF="eth1"
INTIP="192.168.0.1"

And execute the following to create the wireguard interface, setup the
network routing and iptables rules, etc...
Note that your system may use just "iptables" for IPv4 rather than
"ip4tables" and that your firewall netfilter chains might be named
differently from mine.  But if you are familiar enough with
iptables/netfilter then you should be able to figure it out...

# =============================================================================
# Route traffic to select domains over $VPN2IF
# Start by creating a wireguard VPN interface
if ! ip link show dev $VPN2IF >/dev/null 2>&1; then
  ip link add dev $VPN2IF type wireguard
  ip address add dev $VPN2IF $VPN2IP/32
  wg setconf $VPN2IF /etc/wireguard/$VPN2IF.conf
  ip link set up dev $VPN2IF
fi
# route DNS IP address over the VPN in default routing table
ip route add $VPN2DNS dev $VPN2IF
# create a new routing table (400) with default route to VPN interface
# and send all packets marked with 0x8 bit to that table
ip route add default dev $VPN2IF table 400
ip rule add from $INTIP/24 fwmark 0x8/0x8 table 400 priority 2000
# create an ipset hash which dnsmasq will save all IP addresses for the domains
# and add the 0x8 firewall mark to all traffic going to those destinations
ipset -exist create VPN_LIST_IPV4 hash:ip family inet
ip4tables -t mangle -A PREROUTING -i $INTIF -m set --match-set
VPN_LIST_IPV4 dst -j MARK --set-xmark 0x8/0x8
# make sure traffic from my internal interface is permitted to forward
to/from the VPN interface
ip4tables -A FORWARD_CHAIN -i $INTIF -o $VPN2IF -j ACCEPT
ip4tables -A FORWARD_CHAIN -i $VPN2IF -o $INTIF -j ACCEPT
# and NAT traffic over the VPN
ip4tables -t nat -A NAT_POSTROUTING_CHAIN -s $INTIP/24 ! -d $INTIP/24
-o $VPN2IF -j MASQUERADE
# the VPN does not support IPv6 so drop all attempts to connect by IPv6
ipset -exist create VPN_LIST_IPV6 hash:ip family inet6
ip6tables -I FORWARD_CHAIN -i $INTIF -m set --match-set VPN_LIST_IPV6
dst -j DROP


On Fri, Oct 9, 2020 at 10:05 AM Roman Mamedov <rm@romanrm.net> wrote:
>
> On Fri, 9 Oct 2020 17:16:18 +0330
> Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:
>
> > > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm@romanrm.net> wrote:
> > > Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> > > of your VPS, all communication with the SOCKS proxy installed on the VPS will
> > > happen via the WireGuard tunnel. No DPI can look into that.
> >
> > You're right! Some questions:
> > 1. What should I do client-side so that wireguard only covers my VPS's
> > IP (and does not otherwise route traffic)? Will `AllowedIPs =
> > SERVER_IP/32` do it?
>
> SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0
> and ::/0 from AllowedIPs.
>
> > 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?
>
> Yes. You can confirm via "ip addr list dev wgX" on the server.
>
> > 3. I use ufw for the firewall on the server. Will ufw block my local
> > machine? If not, with what IP should I set ufw rules? (My local
> > machine doesn't have a static IP.) Of course, I could alternatively
> > expose the socks proxy to the world with a password; How secure will
> > that be?
>
> Sorry, not familiar with ufw; generally you need to allow only connections
> from the WG interface, or from the internal IP range (or just the "Address ="
> of the client), and block all others.
>
> --
> With respect,
> Roman

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 13:22 ` Roman Mamedov
  2020-10-09 13:30   ` Rudi C
@ 2020-10-09 14:19   ` Chris
  2020-10-09 14:32     ` Roman Mamedov
  1 sibling, 1 reply; 11+ messages in thread
From: Chris @ 2020-10-09 14:19 UTC (permalink / raw)
  To: wireguard

Maybe I oversimplify your problem, but from what I read, your standard route 
will be using the Iranian net.
And - I guess - it is only a limited numer of IP addresses, that you would like 
to reach through the tunnel.

I don't know your OS, but simply adding ip routes pointing to the tunnel for the 
desired destinations would do the job.

Chris


On 09/10/2020 15:22, Roman Mamedov wrote:
> On Sun, 4 Oct 2020 15:41:52 +0330
> Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:
>
>> I use Wireguard to circumvent Iran's censorship. A major problem with
>> it is that it's very hard to selectively proxy specific domains/apps
>> through Wireguard, while leaving others alone. This is an essential
>> feature for Iran's internet, as:
>> 1. The connection is terrible, so avoiding using the proxy for
>> uncensored sites helps a lot.
>> 2. International traffic is 2x more expensive, so avoiding the proxy
>> for internal traffic is very beneficial.
>> 3. Some internal sites ban international IPs and need Iranian IPs.
>>
>> The easiest way to solve this program, as far as I understand, is to
>> add the ability to expose the tunnel as a socks5 proxy on the client
>> side. This is the approach that shadowsocks, v2ray, etc have adopted.
>> There are mature solutions to selectively routing traffic through a
>> socks proxy.
>>
>> I searched around, and there are docker containers that already do
>> this wireguard-to-socks thing; But running docker is expensive on a
>> non-Linux machine, so it'd be much appreciated if you could support
>> exposing socks and HTTP proxy servers natively.
> If you tunnel to a VPS abroad, just install a SOCKS proxy on the remote end.
> A good one is [1]. Then set the remote end's in-VPN IP and proxy port in your
> apps to use.
>
> [1] https://socks-relay.sourceforge.io/
>
> To separate which sites use which proxy (or no proxy) SwitchSharp for Chrome
> and FoxyProxy for Firefox, but you probably already know about those.
>
> In case you meant connecting to commercial "VPN" services, then yes it
> becomes a bit more complex, but you can try srelay on the local machine and
> use the "-J" option, "outbound interface name". But I'm not sure if that would
> just work on its own, or also needs some help from ip(6)tables or ip-rule.
>



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-04 12:11 [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client? Rudi C
  2020-10-09 13:22 ` Roman Mamedov
@ 2020-10-09 14:26 ` Max R. P. Grossmann
  2020-10-14 11:04   ` Thireus
  1 sibling, 1 reply; 11+ messages in thread
From: Max R. P. Grossmann @ 2020-10-09 14:26 UTC (permalink / raw)
  To: Rudi C; +Cc: wireguard

[-- Attachment #1: Type: text/plain, Size: 1830 bytes --]

Another idea would be to install WireGuard in a (tiny) virtual machine or a VPS and then ssh into that machine using

	ssh -TD9151 user@example.com

This creates a SOCKS5 proxy on port 9151.

Then, for example, you could create two Firefox profiles; one without a proxy (for the uncensored websites) and another that utilizes the SOCKS5 proxy on port 9151. The SOCKS5 proxy exposed by ssh will route all traffic over your virtual machine (example.com above), which will in turn route it through WireGuard.

Since ssh can now be natively used under Windows, I'd be surprised if its -D option were not available. AFAIR, Putty can also do something similar.

Best,

Max

On 20/10/04 03:41pm, Rudi C wrote:
> I use Wireguard to circumvent Iran's censorship. A major problem with
> it is that it's very hard to selectively proxy specific domains/apps
> through Wireguard, while leaving others alone. This is an essential
> feature for Iran's internet, as:
> 1. The connection is terrible, so avoiding using the proxy for
> uncensored sites helps a lot.
> 2. International traffic is 2x more expensive, so avoiding the proxy
> for internal traffic is very beneficial.
> 3. Some internal sites ban international IPs and need Iranian IPs.
> 
> The easiest way to solve this program, as far as I understand, is to
> add the ability to expose the tunnel as a socks5 proxy on the client
> side. This is the approach that shadowsocks, v2ray, etc have adopted.
> There are mature solutions to selectively routing traffic through a
> socks proxy.
> 
> I searched around, and there are docker containers that already do
> this wireguard-to-socks thing; But running docker is expensive on a
> non-Linux machine, so it'd be much appreciated if you could support
> exposing socks and HTTP proxy servers natively.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 14:19   ` Chris
@ 2020-10-09 14:32     ` Roman Mamedov
  0 siblings, 0 replies; 11+ messages in thread
From: Roman Mamedov @ 2020-10-09 14:32 UTC (permalink / raw)
  To: Chris; +Cc: wireguard

On Fri, 9 Oct 2020 16:19:22 +0200
Chris <wireguard@spam-free.eu> wrote:

> Maybe I oversimplify your problem, but from what I read, your standard route 
> will be using the Iranian net.
> And - I guess - it is only a limited numer of IP addresses, that you would like 
> to reach through the tunnel.
> 
> I don't know your OS, but simply adding ip routes pointing to the tunnel for the 
> desired destinations would do the job.

OK, a desired destination would be *.youtube.com, how would you go about that?

You can't add routes to domain names of websites, not to mention to wildcards
of domain names; and websites can resolve into a lot of IPs, which will change
randomly due to load balancing, or due to sites migrating their hosting over
time. So just resolving them right now and using specific IPs likely wouldn't
work for long.

One solution is the browser extensions that I mentioned coupled with a SOCKS
proxy on remote side. Another is what David suggests with dnsmasq and ipset,
which seems like it'll be more transparent from the usage standpoint, but also
more complex to set up.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
  2020-10-09 14:26 ` Max R. P. Grossmann
@ 2020-10-14 11:04   ` Thireus
  0 siblings, 0 replies; 11+ messages in thread
From: Thireus @ 2020-10-14 11:04 UTC (permalink / raw)
  To: Max R. P. Grossmann; +Cc: Rudi C, wireguard

Maybe this could help: https://github.com/kizzx2/docker-wireguard-socks-proxy

> Le 9 oct. 2020 à 15:26, Max R. P. Grossmann <m@max.pm> a écrit :
> 
> Another idea would be to install WireGuard in a (tiny) virtual machine or a VPS and then ssh into that machine using
> 
> 	ssh -TD9151 user@example.com
> 
> This creates a SOCKS5 proxy on port 9151.
> 
> Then, for example, you could create two Firefox profiles; one without a proxy (for the uncensored websites) and another that utilizes the SOCKS5 proxy on port 9151. The SOCKS5 proxy exposed by ssh will route all traffic over your virtual machine (example.com above), which will in turn route it through WireGuard.
> 
> Since ssh can now be natively used under Windows, I'd be surprised if its -D option were not available. AFAIR, Putty can also do something similar.
> 
> Best,
> 
> Max
> 
> On 20/10/04 03:41pm, Rudi C wrote:
>> I use Wireguard to circumvent Iran's censorship. A major problem with
>> it is that it's very hard to selectively proxy specific domains/apps
>> through Wireguard, while leaving others alone. This is an essential
>> feature for Iran's internet, as:
>> 1. The connection is terrible, so avoiding using the proxy for
>> uncensored sites helps a lot.
>> 2. International traffic is 2x more expensive, so avoiding the proxy
>> for internal traffic is very beneficial.
>> 3. Some internal sites ban international IPs and need Iranian IPs.
>> 
>> The easiest way to solve this program, as far as I understand, is to
>> add the ability to expose the tunnel as a socks5 proxy on the client
>> side. This is the approach that shadowsocks, v2ray, etc have adopted.
>> There are mature solutions to selectively routing traffic through a
>> socks proxy.
>> 
>> I searched around, and there are docker containers that already do
>> this wireguard-to-socks thing; But running docker is expensive on a
>> non-Linux machine, so it'd be much appreciated if you could support
>> exposing socks and HTTP proxy servers natively.



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2020-10-16 13:17 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-04 12:11 [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client? Rudi C
2020-10-09 13:22 ` Roman Mamedov
2020-10-09 13:30   ` Rudi C
2020-10-09 13:34     ` Roman Mamedov
2020-10-09 13:46       ` Rudi C
2020-10-09 14:05         ` Roman Mamedov
2020-10-09 14:08           ` David Kerr
2020-10-09 14:19   ` Chris
2020-10-09 14:32     ` Roman Mamedov
2020-10-09 14:26 ` Max R. P. Grossmann
2020-10-14 11:04   ` Thireus

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git