Hi,

I would like to use Wireguard over TCP. I’m trying to reach my server from a restrictive network and UDP is being blocked. TCP is not blocked in certain ports though, and I would like to open a VPN server that listen on those over TCP.

I’m using the wireguard Linuxserver docker image. Any suggestions?

Thanks.

  • exu@feditown.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 years ago

    Wireguard only supports UDP. The main reason being TCP over TCP is extremely slow.

    You could try OpenVPN, I think that has a TCP mode though, as said, don’t expect good performance.

  • parmesancrabs@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    For my setup, I used UDP port 443. For the vast majority of situations it works well as TCP 443 is for secure internet traffic. It seems admins often blanket 443 port open regardless of protocol 🙃

  • hensou@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    I’ve never tried this myself, but the docs have some ways of maybe getting into working https://www.wireguard.com/known-limitations/#tcp-mode .

    The udp2raw repo has the following description:

    A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)

  • zork
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 years ago

    As long as you’re certain your wireguard server works from other networks… You could use nginx as a proxy to have your server accept incoming traffic from UDP port 53 (DNS)… But, be careful!

    I would strongly suggest you whitelist the restrictive network for use on UDP port 53. Is the WAN IP static on the restrictive network? Do you know the size of the WAN subnet? I’d try a quick test over UDP port 53 using nginx, then close it up. If it works, create your firewall rule to whitelist only the restrictive network and Bob’s your aunt.

    PS: If the restrictive network uses DPI (deep packet inspection) to verify they are real DNS queries on UDP 53, you can try putting DNSmuggle behind nginx. Do not have anything listen on localhost:53 as that may interfere with your local DNS at the server side. I don’t know how well this will perform, but I’m assuming not amazing. DNSmuggle supports encrypted DNS, which should prevent the network(s) from hijacking your requests.