Martin Koníček
Blog
WebSocket connection to WireGuard
Firstly we need to setup Nginx. If you have existing HTTPS server, e.g. nginx, kubernetes, traefik, you can put HTTPS SNI proxy before your server which will divide traffic between WebSocket tunnel and your existing webserver, no need in web certificates for change.
Firstly we will install and configure Nginx.
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
stream {
resolver 8.8.8.8;
map $ssl_preread_server_name $selected_upstream {
YOUR.WIREGUARD.WEBSITE.COM 127.0.0.1:10443;
default 127.0.0.1:8443; # YOUR EXISTING HTTPS WEBSERVER ADDRESS
}
server {
listen 443; # PORT WE WILL LISTEN ON
proxy_pass $selected_upstream;
ssl_preread on;
}
}
Installing WSTunnel
Later we will install WSTunnel.
You can download it from https://github.com/erebe/wstunnel/releases and copy to /usr/bin/
/etc/systemd/system/wstunnel.service
[Unit]
Description=WebSocket tunel pro WireGuard
After=network.target
[Service]
Type=simple
User=nobody
ExecStart=/usr/bin/wstunnel server wss://0.0.0.0:10443 --restrict-to 127.0.0.1:51820
Restart=no
[Install]
WantedBy=multi-user.target
This service will forward traffic to port 51820 on localhost where wireguard is.
Client configuration
To run client on Windows, I have following Python script in "shell:startup" which run service on background.
tunnel.pyw
import subprocess
DETACHED_PROCESS = 8
subprocess.Popen("C:\Windows\wstunnel.exe client wss://yourwebsite.com/ -L udp://51820:127.0.0.1:51820"
, creationflags=DETACHED_PROCESS, close_fds=True)
I run this script on every login to Windows, and then had set-up wireshark tunnel pointing to localhost:51820
If you want to route all traffic you have to disallow IP of yourwebsite.com from Wireguard, you can use following calculator
Wireguard Disallowed IPs
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/