Wireguard only supports UDP. The main reason being TCP over TCP is extremely slow.
You could try OpenVPN, I think that has a TCP mode though, as said, don't expect good performance.
this post was submitted on 26 Jun 2023
16 points (100.0% liked)
Selfhosted
40391 readers
601 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Try UDP port 123 sometimes that goes through the firewalls
I will try this port. Any other port that could work? (Not 53 as it's being filtered by ISP)
For my setup, I used UDP port 443. For the vast majority of situations it works well as TCP 443 is for secure internet traffic. It seems admins often blanket 443 port open regardless of protocol 🙃
The firewall they are using can't be fooled this way. This is something I tried.
I've never tried this myself, but the docs have some ways of maybe getting into working https://www.wireguard.com/known-limitations/#tcp-mode .
The udp2raw repo has the following description:
A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)
Good news: it's possible! :) From Known Limitations on the Wireguard project site:
TCP Mode
WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.
Have a look into udptunnel and udp2raw and see how that works in your environment.
I think udp2raw could work, though I need to figure out how I can do it with the containers that already have.
As long as you're certain your wireguard server works from other networks.. You could use nginx as a proxy to have your server accept incoming traffic from UDP port 53 (DNS)... But, be careful!
I would strongly suggest you whitelist the restrictive network for use on UDP port 53. Is the WAN IP static on the restrictive network? Do you know the size of the WAN subnet? I'd try a quick test over UDP port 53 using nginx, then close it up. If it works, create your firewall rule to whitelist only the restrictive network and Bob's your aunt.
PS: If the restrictive network uses DPI (deep packet inspection) to verify they are real DNS queries on UDP 53, you can try putting DNSmuggle behind nginx. Do not have anything listen on localhost:53 as that may interfere with your local DNS at the server side. I don't know how well this will perform, but I'm assuming not amazing. DNSmuggle supports encrypted DNS, which should prevent the network(s) from hijacking your requests.
I'm 100% sure it works from other networks. UDP 123 is filtered by ISP. Someone mentioned some other low UDP port.
view more: next ›