WireGuard + TCP using udp2raw

September 16, 2023

In this post you obfuscate WireGuard by disguising UDP as TCP.

References:

• https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp
• https://github.com/wangyu-/udp2raw

Ubuntu server

It is assumed that you are using Ubuntu 22.04 and logged in as root.

1. Open firewall

Choose a port on which the server will accept input. We will use tcp/8443 in our example.

Open this port (tcp/8443 in our example) in your server firewall.

We will use udp2raw to convert UDP to TCP. On the client it will listen on port udp/50001. On the server side, traffic arrives at port tcp/8443. As a final step, udp2raw sends it to WireGuard on udp/51820.

2. Install and configure WireGuard

Install WireGuard:

apt update && apt upgrade -y

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

chmod +x wireguard-install.sh

./wireguard-install.sh

The script prompts you to answer various questions. You can accept the defaults except:

• When you are asked for the IP address, enter the public IP address of your server.
• Choose 51820 for the WireGuard port.

At the end of the script's run, you are prompted to choose a name for the client, e.g. xxxxxxxx. The script then generates a client configuration file named, for example, wg0-client-xxxxxxxx.conf.

3. Install udp2raw

Visit https://github.com/wangyu-/udp2raw/releases to determine the latest release of udp2raw.

Install the latest release of udp2raw:

wget https://github.com/wangyu-/udp2raw/releases/download/20230206.0/udp2raw_binaries.tar.gz

tar -xf udp2raw_binaries.tar.gz

cp udp2raw_amd64 /usr/local/bin/udp2raw

4. Configure WireGuard to use udp2raw

udp2raw can operate in modes faketcp, udp, or icmp. faketcp is the default if no other --raw-mode is specified. See the Usage section of the README. This tutorial demonstrates faketcp.

Generate a preshared secret for udp2raw:

< /dev/urandom tr -dc a-z-0-9 | head -c${1:-16};echo

Example:

dm9x7z0wbs82eiu3

Add the following settings to the [Interface] section of /etc/wireguard/wg0.conf:

MTU = 1300
PreUp = udp2raw -s -l 0.0.0.0:8443 -r 127.0.0.1:51820 -k "dm9x7z0wbs82eiu3" -a >/var/log/udp2raw.log 2>&1 &
PostDown = killall udp2raw || true

Restart WireGuard with the revised configuration:

systemctl restart wg-quick@wg0

This is the end of the server work for now. WireGuard is listening on udp/51820. udp2raw is listening on tcp/8443. Exit your SSH session with the server:

exit

Windows client

Our client in this tutorial runs Windows.

1. Install WireGuard

Install the WireGuard for Windows client from https://www.wireguard.com/install. For Windows you get an installer named wireguard-installer.exe, which you must run to install the Windows WireGuard GUI client. Initially there are no tunnels defined to the GUI client.

2. Download client configuration

Download the WireGuard client configuration file that you generated on the server with the PowerShell command. Replace XX.XX.XX.XX by your server IP address:

scp root@XX.XX.XX.XX:wg0-client-xxxxxxxx.conf Downloads

Do not import the client configuration file into the Windows WireGuard GUI client just yet. You have to make a few changes to it. We will do that toward the end of the client set-up.

3. Download udp2raw

Visit https://github.com/wangyu-/udp2raw/releases to determine the latest release of udp2raw.

Click the link marked windows and mac version.

Download the most recent udp2raw_mp_binaries.tar.gz.

Use 7-Zip to extract udp2raw_mp_binaries.tar.

Extract the folder udp2raw_mp_binaries.

To make it easier to find, copy udp2raw_mp.exe up to your main Downloads folder.

4. Run udp2raw

Open a new Command Prompt window. Issue the commands:

cd Downloads

udp2raw_mp.exe -c -l 127.0.0.1:50001 -r XX.XX.XX.XX:8443 -k "dm9x7z0wbs82eiu3"

In the above, replace XX.XX.XX.XX by your server IP address, and replace dm9x7z0wbs82eiu3 by your shared secret.

5. Prevent routing loop

This is the critical step to get the whole thing to work. Normally WireGuard will route your entire Internet traffic through the WireGuard interface. You need to override that behavior for one specific address, namely the IP address of your server. Traffic for the server must not go back into WireGuard. That would create an infinite loop. Packets for the server must go out directly over the default gateway.

Open a browser. Visit https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator.

1. Set Allowed IPs to 0.0.0.0/0,::/0.
2. Set Disallowed IPs to YOUR.SERVER.IP.ADDRESS.
3. Press Calculate.
4. Copy the resulting AllowedIPs = line into your downloaded copy of the client configuration file, replacing the original line.
5. Save the amended client configuration file.

6. Configure WireGuard client

Make some finals change to the generated client configuration. The WireGuard client must think it is talking to a server on localhost, which in fact is where udp2raw is listening.

Endpoint = 127.0.0.1:50001

Also add a line to the [Interface] section:

MTU = 1300

Save the file.

Now import the amended tunnel configuration into your WireGuard GUI client.

You may have to manually uncheck the box that blocks untunneled traffic (kill-switch).

7. End-to-end connect

In the WireGuard GUI client, Activate the tunnel.

Open a browser and test your connection.