Tunnel wireguard (or any UDP traffic) inside HTTPS

Question

Wireguard is pretty hot these days, deservedly so. I'm also eager to replace OpenVPN by Wireguard.

However, unlike OpenVPN, Wireguard only supports UDP. I like to use TCP port 443 because this port is likely not blocked by a firewall. OpenVPN even has an option to use an HTTP proxy. This is pretty cool, because it enables me to get full, unrestricted internet access in networks that don't have a route to the internet and require users to use a web proxy instead.

How can I achieve the same with wireguard? An HTTPS tunnel that works for UDP?

Let's assume both endpoints are running Linux, I have full root access to both, and of course I have permission by everyone involved to do this.

score 5 · Accepted Answer · answered Sep 15 '18 at 08:19

5

This seems to do exactly what I want, even though you need cntlm as an additional proxy if the proxy requires NTLM authentication.

answered Sep 15 '18 at 08:19

Volker

408

score 4 · Answer 2 · answered Nov 16 '21 at 22:50

The official documentation says why they don't support TCP and DPI [1]

WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation

For TCP tunneling they suggest using udp2raw[2] or udptunnel[3].

Note this only covers TCP tunneling, it wont mask it over HTTP(S) so it won't be protected if your firewall performs Deep packet Inspection or header analysis etc . You would need more a advanced setup for that.

score 2 · Answer 3 · edited Mar 21 '24 at 14:43

2

HTTPS is not something you would use to tunnel traffic, however websockets are suitable for that.

I think you are looking for WStunnel. It is capable to tunnel it via TLS as well.

edited Mar 21 '24 at 14:43

Journeyman Geek

133,878

answered Mar 21 '24 at 14:10

blek__

23

score 0 · Answer 4 · answered Aug 19 '18 at 06:10

Could run a SSH VPN (using ssh on port 443) and run the Wireguard over the interfaces created.

Probably could also run Wireguard over your existing OpenVPN.

The premise of Wireguard appears to be connectionless by design so I doubt a TCP or HTTP feature is coming soon (sorry).

Tunnel wireguard (or any UDP traffic) inside HTTPS

4 Answers4