Skip to content

Instantly share code, notes, and snippets.

@hamid-rostami

hamid-rostami/README.md

Last active November 19, 2025 00:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hamid-rostami/5ed34fe1948f40685f7035de36be7035 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hamid-rostami/5ed34fe1948f40685f7035de36be7035 to your computer and use it in GitHub Desktop.
Download ZIP
wireguard over TCP
Raw
README.md

To pass wireguard's traffic through a TCP tunnel by using udp2raw

Requirements

For Arch linux, install udp2raw by pacman: pacman -S udp2raw

For Debian or Ubuntu, you can use a binary release from: https://github.com/wangyu-/udp2raw/releases

Then, install it under /sbin directory. For example, on a x86_64 system:

wget https://github.com/wangyu-/udp2raw/releases/download/20200818.0/udp2raw_binaries.tar.gz
tar xzvf udp2raw_binaries.tar.gz
sudo mv udp2raw_amd64 /sbin

Instruction:

  • Replace private and public keys in configuration files
  • Replace password in udp2raw command in both server's and client's configuration file
  • Change YOUR-SERVER-IP in client's config file (in udp2raw command) to your server IP address
  • On both server and client, copy corresponding config file to /etc/wireguard/wg0
  • Start wireguard on both server and client: sudo systemctl start wg-quick@wg0
  • Check connectivity by performing a ping command from client: ping 10.8.0.1

Notes:

  • Please note that based on the configuration provided, by udp2raw command, port 4096 of your server will be exposed to the world. Of course, you can change it to another port number.
  • If it doesn't work, remove PreUp and Postdown lines from both configs and run udp2raw commands in command-line with a --log-level option to see if TCP tunnel can be successfully established.
Raw
client-wg0
# Client configuration
[Interface]
PrivateKey = YOUR-CLIENT-PRIVATE-KEY
Address = 10.8.0.2/32
MTU = 1200
PreUp = udp2raw -c -l 127.0.0.1:51820 -r YOUR-SERVER-IP:4096 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"
[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.0/24
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 20
Raw
server-wg0
# Server configuration
[Interface]
Address = 10.8.0.1/24
MTU = 1200
ListenPort = 51820
PrivateKey = YOUR-SERVER-PRIVATE-KEY
PreUp = sudo udp2raw -s -l 0.0.0.0:4096 -r 127.0.0.1:51820 -k "your-password" --raw-mode faketcp -a --log-level 0 &
Postdown = pkill -f "udp2raw.*:51820"
# Add your peers here
[Peer]
PublicKey = 1w2ffwBzjyJMtPGB2QEe9hFHZ7bUyw3+cxhBC+OZfyM=
AllowedIPs = 10.8.0.2/32
@wangyu-
Copy link

wangyu- commented Jun 10, 2024
edited
Loading

Can you help me , both client and server udp2raw log :

[2023-11-13 07:02:43][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!
[2023-11-13 07:02:44][DEBUG][38.9.140.224:58648][hb]received hb
[2023-11-13 07:02:44][DEBUG]heart beat sent<8ea7619c,d45052b1>
[2023-11-13 07:02:44][DEBUG]cipher_decrypt failed
[2023-11-13 07:02:44][DEBUG]recv_safer failed!

In 80% case, it means your -k/--key or --cipher-mode --auth-mode doesn't match on client and server side. In this case, it's an easy fix.

In 5% case, it means your internet connection doesn't allow the packet constructed by raw socket to passthrough transparently (It might be because of your client's ISP or virtual machine's network adapter mode; or something related to your server's network infrastructure). In this case, you can barely do anything other than changing the ISP or server provider.

@iopq
Copy link

iopq commented Nov 25, 2024

I had to add masquerade iptable rules to forward the internet from the server to the client. I could ping the server, and even check the connection by launching an http server on the endpoint, but I couldn't access its outside connection

Here's how I did it:

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

see: https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/

@hamid-rostami
Copy link
Author

hamid-rostami commented Nov 25, 2024

I had to add masquerade iptable rules to forward the internet from the server to the client. I could ping the server, and even check the connection by launching an http server on the endpoint, but I couldn't access its outside connection

Here's how I did it:

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

see: https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/

Very well write up, thanks for sharing!

@iopq
Copy link

iopq commented Nov 26, 2024

Forgot to say, there's a typo in sudo systemclt start wg-quick@wg0 it should be systemctl

@hamid-rostami
Copy link
Author

hamid-rostami commented Nov 26, 2024

Forgot to say, there's a typo in sudo systemclt start wg-quick@wg0 it should be systemctl

Good catch! corrected.

@sertraline
Copy link

sertraline commented Apr 13, 2025

This works for me (with 0.0.0.0/0), it works in telegram, but for some reason it breaks all browsers, firefox and chromium based. If I try to open wikipedia in the browser I'll get timeout. But if I do curl https://wikipedia.org it loads wiki perfectly fine. Weird.

@sertraline
Copy link

sertraline commented Apr 13, 2025

solved my issue by lowering MTU to 1100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment