WireGuard&Wstunnel

Everything described below is the result of a technical experiment. The material is not advertising, does not call for any action, is provided solely for informational purposes, and was prepared as part of research.

VPN - WireGuard

Obfuscator - Wstunnel

Port 12345 is used as the WireGuard port, and 192.168.100.10/32 is used as the subnet.

Traffic will be sent to port 443, like to a web server.

The client machine is Windows.

Creating a VPS Server

A VDS/VPS can be bought almost anywhere. There are many cloud hosting providers for every taste. Working examples are timeweb.cloud and hostmenow.org. The first is simpler, the second allows payment with almost anything, including crypto.

As a result, you should have a login and password for a Debian server with a public IP address.

WireGuard Server Side

Install WireGuard and move to the directory:

apt install wireguard iptables -y

cd /etc/wireguard

Create a script for creating iptables rules when WireGuard starts, and insert the code:

mcedit ./add-nat-routing.sh

Insert this code:

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
IN_FACE="eth0" # interface with the public IP
WG_FACE="wg0"
SUB_NET="192.168.100.0/24"
WG_PORT="12345"
#SUB_NET_6="2001:db8::/64"
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
## IPv6 ##
#$IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
#$IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
#$IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
#$IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT

Create a script for removing iptables rules when WireGuard stops:

mcedit ./remove-nat-routing.sh

And insert:

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
IN_FACE="eth0"  # interface with the public IP
WG_FACE="wg0"
SUB_NET="192.168.100.0/24"
WG_PORT="12345"
# SUB_NET_6="2001:db8::/64"
## IPv4 rules ##
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
## IPv6 rules ##
#$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
#$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
#$IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
#$IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT

Set permissions:

chmod -v +x /etc/wireguard/*.sh

Allow forwarding by editing the file:

mcedit /etc/sysctl.d/10-wireguard.conf

Add to the file:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Save:

sysctl -p /etc/sysctl.d/10-wireguard.conf

Create keys:

wg genkey | tee privatekey | wg pubkey > publickey

wg genpsk > pskkey

cat privatekey # server private key

cat publickey # server public key

cat pskkey # WireGuard preshared key for symmetric encryption

Create the server configuration by editing the interface file:

mcedit /etc/wireguard/wg0.conf

Insert:

[Interface]
Address = 192.168.100.0/24
PostUp = /etc/wireguard/add-nat-routing.sh
PostDown = /etc/wireguard/remove-nat-routing.sh
ListenPort = 12345
PrivateKey = server_private_key

[Peer]
PublicKey = client_public_key (will appear later in the instructions)
PresharedKey = wireguard_preshared_key
AllowedIPs = 192.168.100.10/32

Add to autostart and restart:

systemctl restart [email protected]

systemctl enable [email protected]

Wstunnel Server Side

Download the Linux release from GitHub and copy the link. As an example, here is the link to wstunnel_10.3.0_linux_amd64.tar.gz.

wget -O wstunnel.tar.gz https://github.com/erebe/wstunnel/releases/download/v10.3.0/wstunnel_10.3.0_linux_amd64.tar.gz

Unpack and remove the archive:

tar -xzf wstunnel.tar.gz wstunnel && rm -fr ./wstunnel.tar.gz

Add execute permission, move the binary, and check that everything is installed:

chmod +x wstunnel

mv wstunnel /usr/local/bin

wstunnel --version

Bind the port (443 in our case):

setcap cap_net_bind_service=+ep /usr/local/bin/wstunnel

Create a key for Wstunnel authorization and save/remember it (it will be needed later in the instructions):

openssl rand -base64 42

Create the service configuration file:

mcedit /etc/systemd/system/wstunnel.service

And add the configuration:

[Unit]
Description=Wstunnel for WireGuard
After=network-online.target
Wants=network-online.target

[Service]
User=root
Type=exec
ExecStart=/usr/local/bin/wstunnel server --restrict-http-upgrade-path-prefix wstunnel_authorization_key wss://server_static_ip:443 --restrict-to 127.0.0.1:12345
Restart=on-failure

[Install]
WantedBy=multi-user.target

Restart and add to autostart:

 systemctl enable wstunnel

systemctl restart wstunnel

Wstunnel Client Side

Download the Windows release from GitHub. As an example, here is the link to wstunnel_10.3.0_windows_amd64.tar.gz.

curl.exe -fLo wstunnel.tar.gz https://github.com/erebe/wstunnel/releases/download/v10.3.0/wstunnel_10.3.0_windows_amd64.tar.gz

Unpack and move the executable somewhere in Program Files, for example into the wstunnel folder:

tar -xzf wstunnel.tar.gz wstunnel.exe

xcopy wstunnel.exe "C:\Program Files\Wstunnel\"

Add wstunnel to environment variables.

In Start, type “Edit the system environment variables” and open the service.

Environment Variables -> Edit -> New

In the lower window (system variables), edit the Path variable and add the new path to the wstunnel folder:

C:\Program Files\Wstunnel\

Check that everything worked with the command (the Wstunnel version should appear):

wstunnel --version

Allow script execution through PowerShell (run as administrator):

reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f

The output should be: “The operation completed successfully”.

WireGuard Client Side

Choose and download the client from the WireGuard website. Then install it.

Next, go to the WireGuard folder:

cd C:\Program Files\WireGuard

Create private and public keys and print them to the screen:

 wg genkey > privatekey

type privatekey | wg pubkey > pubkey

 type privatekey # client private key

type publickey # client public key

Allow script execution through PowerShell (run as administrator):

Set-ExecutionPolicy RemoteSigned

Open Notepad and write the configuration into it, substituting the received keys and data.

server_ip - static IP address of your server gateway_ip - gateway IP address (can be checked with ipconfig)

[Interface]
PrivateKey = client_private_key
Address = 192.168.100.10/32
DNS = 8.8.8.8, 8.8.4.4
MTU = 1400
PostUp = route add server_ip mask 255.255.255.255 gateway_ip && start wstunnel client --http-upgrade-path-prefix wstunnel_authorization_key_(from the "Wstunnel Server Side" step) -L udp://12345:127.0.0.1:12345 wss:// server_ip:443
PostDown = route delete server_ip mask 255.255.255.255 gateway_ip && powershell -command "(Get-Process -Name wstunnel).Kill()"

[Peer]
PublicKey = server_public_key (from the "WireGuard Server Side" step)
PresharedKey = wireguard_preshared_key (from the "WireGuard Server Side" step)
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 127.0.0.1:12345
PersistentKeepalive = 15

Uncheck the box labeled “Block untunneled traffic (kill-switch)”.

For macOS / *nix Clients

Install Software

On macOS, this is done through brew:

brew install wstunnel

brew install wireguard-tools

brew install iproute2mac

On a *nix-like machine, through apt:

apt install wstunnel wireguard-tools iproute2

From here on, everything is the same everywhere.

Generate Keys

wg genkey | tee privatekey | wg pubkey > publickey

cat privatekey # client private key

cat publickey # client public key

Open Notepad and write the configuration into it, substituting the received keys and data. Save it to a file named wg0.conf (wg ZERO).

server_ip - static IP address of your server gateway_ip - gateway IP address (can be checked with ipconfig)

[Interface]
PrivateKey = client_private_key
Address = 192.168.100.10/32
DNS = 8.8.8.8, 8.8.4.4
MTU = 1400
PostUp = route add server_ip mask 255.255.255.255 gateway_ip
PostUp = wstunnel client --http-upgrade-path-prefix wstunnel_authorization_key_(from the "Wstunnel Server Side" step) -L udp://12345:127.0.0.1:12345 wss:// server_ip:443
PostDown = route delete server_ip mask 255.255.255.255 gateway_ip
PostDown = killall wstunnel

[Peer]
PublicKey = server_public_key (from the "WireGuard Server Side" step)
PresharedKey = wireguard_preshared_key (from the "WireGuard Server Side" step)
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 127.0.0.1:12345
PersistentKeepalive = 15

In the terminal, go to the wg0.conf file and connect to the server with the command:

wg-quick up ./wg0.conf