WireGuard over udp2raw
Running WireGuard over udp2raw
Introduction
In certain network environments, establishing a direct WireGuard connection may be challenging due to firewalls, NAT restrictions, or ISPs blocking UDP traffic. udp2raw provides a solution by encapsulating WireGuard's UDP traffic into encrypted packets that mimic TCP or ICMP protocols. This method helps bypass UDP blocking and can make your VPN connection appear as regular TCP or ICMP traffic. Method described is almost the same as TLS tunnel using stunnel but faster in my tests and works with UDP as well as with TCP.
Prerequisites
- Server: A remote server with root access where WireGuard is installed and configured.
- Client: A local machine with root access where WireGuard is installed and configured.
- udp2raw: Downloaded on both the server and client from the udp2raw releases page.
- A shared secret key: A plain text string used by udp2raw for authentication (e.g.,
SecReT-StrinG
).
How It Works
[WireGuard Client]
|
| UDP traffic to 127.0.0.1:6666
v
+---------------------+
| udp2raw Client |
| Listening on: |
| 127.0.0.1:6666 |
| Connecting to: |
| SERVER_IP:7777 |
+---------------------+
|
| Encrypted UDP/TCP/ICMP packets to SERVER_IP:7777
v
~~~~~~~~~~~~~ Internet ~~~~~~~~~~~~~
|
v
+---------------------+
| udp2raw Server |
| Listening on: |
| 0.0.0.0:7777 |
| Forwarding to: |
| 127.0.0.1:51820 |
+---------------------+
|
| UDP traffic to 127.0.0.1:51820
v
[WireGuard Server]
Data Flow
- WireGuard Client sends UDP packets to
127.0.0.1:6666
, which is the local udp2raw Client. - udp2raw Client encapsulates these UDP packets into encrypted UDP/TCP/ICMP packets and sends them over the internet to
SERVER_IP:7777
(the udp2raw Server). - udp2raw Server listens on
0.0.0.0:7777
, decrypts the incoming packets, and forwards them as UDP packets to127.0.0.1:51820
(the WireGuard Server). - WireGuard Server processes the packets and sends responses back through the same path in reverse.
Steps
1. Download and Install udp2raw
On both the server and client:
-
Navigate to the udp2raw releases page.
-
Download the appropriate binary for your system (e.g.,
udp2raw_amd64
for 64-bit Linux). -
Make the binary executable and move it to a directory in your
$PATH
:chmod +x udp2raw_amd64 sudo mv udp2raw_amd64 /usr/local/bin/
2. Configure udp2raw on the Server
Create a systemd service to run udp2raw as a daemon.
Command Explanation
-s
: Run in server mode.-l 0.0.0.0:7777
: Listen on all interfaces on port7777
.-r 127.0.0.1:51820
: Forward packets to127.0.0.1
on port51820
(WireGuard listens here).-k <PLAIN_TEXT_SECRET>
: Use the provided key for authentication.--raw-mode udp
: Use UDP mode for raw sockets.-a
: Auto-adjust TCP options.
Create Systemd Service
Create a file /etc/systemd/system/udp2raw.service
with the following content:
[Unit]
Description=udp2raw Server
After=network.target
[Service]
ExecStart=/usr/local/bin/udp2raw_amd64 -s -l 0.0.0.0:7777 -r 127.0.0.1:51820 -k SecReT-StrinG --raw-mode udp -a
Restart=always
User=root
RestartSec=3
[Install]
WantedBy=multi-user.target
Start the Service
sudo systemctl enable --now udp2raw
3. Configure udp2raw on the Client
Command Explanation
-c
: Run in client mode.-l 127.0.0.1:6666
: Listen on local address127.0.0.1
on port6666
(WireGuard will connect here).-r SERVER_IP:7777
: Connect to the udp2raw server atSERVER_IP
on port7777
.-k <PLAIN_TEXT_SECRET>
: Use the same key as the server for authentication.--raw-mode udp
: Use UDP mode for raw sockets.-a
: Auto-adjust TCP options.
Create Systemd Service
Replace SERVER_IP
with your server's IP address.
Create a file /etc/systemd/system/udp2raw.service
with the following content:
[Unit]
Description=udp2raw Client
After=network.target
[Service]
ExecStart=/usr/local/bin/udp2raw_amd64 -c -l 127.0.0.1:6666 -r SERVER_IP:7777 -k SecReT-StrinG --raw-mode udp -a
Restart=always
User=root
RestartSec=3
[Install]
WantedBy=multi-user.target
Start the Service
sudo systemctl enable --now udp2raw
4. Configure WireGuard to Use udp2raw
On the client, modify your WireGuard configuration to connect to the local udp2raw port.
Example WireGuard Client Configuration
[Interface]
PrivateKey = <Client_Private_Key>
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 127.0.0.1:6666
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
- Endpoint: Set to
127.0.0.1:6666
, the local udp2raw client's listening address. - AllowedIPs: Set to
0.0.0.0/0
to route all traffic through the VPN, or specify desired subnets.
Conclusion
By wrapping WireGuard traffic with udp2raw, you can bypass network restrictions that prevent standard UDP traffic. This setup encapsulates your VPN traffic in a way that appears as regular TCP, UDP or ICMP packets, enhancing connectivity in restrictive environments.