xjkj8

WireGuard + udp2raw

The use case here is you are in an environment hostile to WireGuard or to UDP connections in general. The strategy is to use an obfuscated connection. udp2raw creates a tunnel through which UDP traffic passes as encrypted UDP, FakeTCP, or ICMP. This allows you to carry on working in the face of blocking, throttling, packet loss, or QoS problems.

1. Set up server

1.1. Install WireGuard on server

Update your server:

apt update && apt upgrade -y && apt autoremove -y

To make things easy, install WireGuard with the script from https://github.com/Nyr/wireguard-install:

wget https://git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh

Follow the prompts. You will see a dialog like this:

Welcome to this WireGuard road warrior installer!

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [123.45.67.89]:

What port should WireGuard listen to?
Port [51820]:

Enter a name for the first client:
Name [client]: win10

Select a DNS server for the client:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 3

WireGuard installation is ready to begin.
Press any key to continue...

Note that port udp/51820 does not need to be open in your server's firewall. This is because you are going to put udp2raw in front of WireGuard.

At the end of its run, the script displays a QR code for client configuration. The client configuration is stored for subsequent download in /root/win10.conf.

1.2. Reduce MTU

Bring down the WireGuard interface:

wg-quick down wg0

Edit the WireGuard interface configuration file:

vi /etc/wireguard/wg0.conf

In the [Interface] specification, add a line:

MTU = 1280

Save the file.

Bring up the WireGuard interface:

wg-quick up wg0

1.3. Download udp2raw binary

Download the latest binary from https://github.com/wangyu-/udp2raw/releases:

apt install curl -y

curl -L https://github.com/wangyu-/udp2raw/releases/download/20230206.0/udp2raw_binaries.tar.gz -O

Extract the archive:

tar -xf udp2raw_binaries.tar.gz

Determine what libraries are in your execution path:

echo $PATH

Copy the binary for your architecture into a library in your execution path. Example:

cp udp2raw_amd64 /usr/local/bin/udp2raw

1.4. Open firewall

Now you must decide what obfuscation method you are going to use:

In the case of UDP or TCP, you must also decide on a port number.

We will use as an example FakeTCP on port tcp/4096.

Open for input port tcp/4096 in your server's firewall and/or security groups.

1.5. Generate password for udp2raw

Generate a pseudorandom password:

< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo;

Example:

5EJBxa78v50znIovSxkTnAZDPU7VYrdp

1.6. Start screen session for udp2raw

If necessary, install screen (it is often included in most Linux distributions):

apt install screen -y

Start a screen session named, for example, udp2raw (it doesn't have to have the same name as the binary you will execute in it):

screen -S udp2raw

1.7. Run udp2raw

It is easiest to run udp2raw as root, but this is not necessary. Consult the README in the repository. In your screen session, start udp2raw running like this:

udp2raw -s -l 0.0.0.0:4096 -r 127.0.0.1:51820 -k "5EJBxa78v50znIovSxkTnAZDPU7VYrdp" --raw-mode faketcp

The parameters are:

1.8. Detach from screen session

Detach from the screen session by pressing Ctrl+a immediately followed by d.

(You can resume the named screen session at any time with the command screen -r udp2raw.)

1.9. Exit SSH session

Exit your SSH session:

exit

2. Set up client

These instructions are for a Windows client.

2.1. Install 7-Zip

Install 7-Zip from https://www.7-zip.org.

2.2. Install Npcap

Download and run the Npcap installer from https://npcap.com.

2.3. Download udp2raw binary for Windows

In a browser, visit https://github.com/wangyu-/udp2raw-multiplatform/releases.

Download udp2raw_mp_binaries.tar.gz.

In Windows Explorer, right-click on the tarball, and use 7-Zip to extract the folder udp2raw_mp_binaries.tar.

Now right-click on udp2raw_mp_binaries.tar and use 7-Zip to extract the inner folder.

2.4. Run udp2raw in client mode

Open a command prompt window at the inner folder (for example, Downloads\udp2raw_mp_binaries.tar).

Start udp2raw_mp.exe running with parameters that match the server. Example:

udp2raw_mp.exe -c -l 127.0.0.1:51820 -r 123.45.67.89:4096 -k "5EJBxa78v50znIovSxkTnAZDPU7VYrdp" --raw-mode faketcp

The parameters are:

Leave the command prompt window open, with udp2raw_mp.exe running in it.

2.5. Install WireGuard

Install WireGuard for Windows from https://www.wireguard.com/install.

2.6. Download WireGuard configuration from server

Open Windows PowerShell.

Download the WireGuard client configuration created by the script. Example:

scp [email protected]:/root/win10.conf Downloads

2.7. Calculate AllowedIPs

Open a browser.

Go to https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator.

Calculate the AllowedIPs to exclude your server's IP address. In the Allowed IPs field, input 0.0.0.0/0, ::/0. In the Disallowed IPs field, input your server's IP address. Press Calculate.

2.8. Configure WireGuard

Open WireGuard for Windows.

Click Import tunnels from file.

Import your downloaded client configuration file Downloads/win10.conf.

Click Edit.

In the [Interface] specification, add a line:

MTU = 1280

In the [Peer] specification, change the AllowedIPs to be your calculated value from above that excludes the server itself.

Change the Endpoint from Endpoint = 123.45.67.89:51820 to point to localhost at Endpoint = 127.0.0.1:51820.

Make sure the box is checked to Block untunneled traffic (kill-switch).

Click Save.

2.9. Run WireGuard

Click Activate.

Check your apparent IP address at a site such as https://ipchicken.com. You should see the IP address of your server, not your local client.