wstunnel::tunnel::server: error while decoding jwt for tunnel info Err(Error(InvalidToken)) header None

[cybergatto]

Describe the bug

I'm tring to open a tunnel using the folliwing path

PC on public internet --> wss://wstunnel.mydomain.onl:443 (on cloudflare) ---> wss://myrealserverip:443 (apache reverse proxy) --> ws://localhost:8443 (wstunnel on docker server)

command used on client to open the tunnel

wstunnel.exe client -L udp://13231:192.168.88.1:13231?timeout_sec=0 wss://wstunnel.mydomain.onl:443

on the client i receive error 400

To Reproduce

try connecting using this path

PC on public internet --> wss://wstunnel.mydomain.onl:443 (on cloudflare) ---> wss://myrealserverip:443 (apache reverse proxy) --> ws://localhost:8443 (wstunnel on docker server)

Expected behavior

connection should be able to open correclty

Your wstunnel setup

command used on client to open the tunnel

wstunnel.exe client -L udp://13231:192.168.88.1:13231?timeout_sec=0 wss://wstunnel.mydomain.onl:443

docker configuration is plain

    wstunnel:
      image: ghcr.io/erebe/wstunnel
      ports:
        - 8443:8443
      environment:
        - RUST_LOG=INFO
        - SERVER_PROTOCOL=ws
        - SERVER_LISTEN=[::]
        - SERVER_PORT=8443
      restart: always

apache configuration is simple as well

<VirtualHost *:443>
    SSLEngine on
    #SSLProxyEngine on
    #SSLProxyCheckPeerName off
    #SSLProxyVerify none
    #ProxyPreserveHost off
    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    ServerAlias wstunnel.mydomain.onl
    ProxyPass / http://localhost:8443/
    ProxyPassReverse / http://localhost:8443/
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://localhost:8443/$1" [P,L]
</VirtualHost>

on client log i get the following:

C:\Windows\System32>wstunnel.exe client -L udp://13231:192.168.88.1:13231?timeout_sec=0 wss://wstunnel.mydomain.onl:443
←[2m2024-08-09T08:31:41.813027Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m Starting UDP server listening cnx on 127.0.0.1:13231 with cnx timeout of 0s
←[2m2024-08-09T08:31:46.059614Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m New UDP connection from 127.0.0.1:63728
←[2m2024-08-09T08:31:46.060495Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to wstunnel.mydomain.onl:443
←[2m2024-08-09T08:31:46.646498Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using sni DnsName("wstunnel.mydomain.onl") with the server wstunnel.mydomain.onl:443
←[2m2024-08-09T08:31:54.646181Z←[0m ←[31mERROR←[0m ←[1mtunnel←[0m←[1m{←[0m←[3mid←[0m←[2m=←[0m"01913643-e98c-7798-9710-a1a3771f16ee" ←[3mremote←[0m←[2m=←[0m"192.168.88.1:13231"←[1m}←[0m←[2m:←[0m ←[2mwstunnel::tunnel::client←[0m←[2m:←[0m failed to do websocket handshake with the server (Domain("wstunnel.mydomain.onl"), 443)

Caused by:
    Invalid status code: 400
←[2m2024-08-09T08:31:54.646468Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m New UDP connection from 127.0.0.1:63728
←[2m2024-08-09T08:31:54.646753Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to wstunnel.mydomain.onl:443

on server log i get:

wstunnel_1   | 2024-08-09T08:04:43.450526Z  INFO wstunnel::tunnel::server: Accepting connection
wstunnel_1   | 2024-08-09T08:04:43.450604Z  INFO tunnel{peer="[::ffff:172.18.0.1]:54890"}: wstunnel::tunnel::server: Request X-Forwarded-For: 109.55.48.225
wstunnel_1   | 2024-08-09T08:04:43.450617Z  WARN tunnel{peer="[::ffff:172.18.0.1]:54890" forwarded_for="109.55.48.225"}: wstunnel::tunnel::server: error while decoding jwt for tunnel info Err(Error(InvalidToken)) header None

Desktop (please complete the following information):

• OS: Windows on client, docker on server
• Version 11/latest

Additional context
no

[erebe]

Hello,
Thanks for the detailed report.
On the server side, would you mind trying to pin the docker image to the same version than your client.

As you don't specify any tag for your docker image, you are using an unreleased version.

[cybergatto]

thanks @erebe ,
having both client and server in v9.7.4 did the trick! now the tunnel is able to establish!
unfortunately it seems that traffic isn't flowing torugh it as expected.
Im using it to open a wireguard connection, and the wireguard handshake isn't competing

that's strange beacuse both client and server logs are clean now:

C:\Windows\System32>wstunnel.exe client -L udp://13231:192.168.88.1:13231?timeout_sec=0 wss://wstunnel.mydomain.onl:443
←[2m2024-08-09T09:53:02.659249Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m Starting UDP server listening cnx on 127.0.0.1:13231 with cnx timeout of 0s
←[2m2024-08-09T09:53:14.450291Z←[0m ←[32m INFO←[0m ←[2mwstunnel::udp←[0m←[2m:←[0m New UDP connection from 127.0.0.1:51396
←[2m2024-08-09T09:53:14.450501Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tcp←[0m←[2m:←[0m Opening TCP connection to wstunnel.mydomain.onl:443
←[2m2024-08-09T09:53:14.845342Z←[0m ←[32m INFO←[0m ←[2mwstunnel::tls←[0m←[2m:←[0m Doing TLS handshake using SNI DnsName("wstunnel.mydomain.onl") with the server wstunnel.mydomain.onl:443

unnel_1 | 2024-08-09T09:53:18.360934Z INFO wstunnel::tunnel::server: Accepting connection stunnel_1 | 2024-08-09T09:53:18.378451Z INFO tunnel{peer="[::ffff:172.18.0.1]:35330"}: wstunnel::tunnel::server: Request X-Forwarded-For: 62.19.169.67

wstunnel_1   | 2024-08-09T09:53:18.383985Z  INFO tunnel{peer="[::ffff:172.18.0.1]:35330" forwarded_for="62.19.169.67" id="0191368e-80d2-7c20-b753-a2e61aef8ac4" remote="192.168.88.1:13231"}: wstunnel::tunnel::server: Tunnel accepted due to matched restriction: Allow All
wstunnel_1   | 2024-08-09T09:53:18.384021Z  INFO tunnel{peer="[::ffff:172.18.0.1]:35330" forwarded_for="62.19.169.67" id="0191368e-80d2-7c20-b753-a2e61aef8ac4" remote="192.168.88.1:13231"}: wstunnel::udp: Opening UDP connection to 192.168.88.1:13231
wstunnel_1   | 2024-08-09T09:53:18.384408Z DEBUG wstunnel::udp: connecting to 192.168.88.1:13231
wstunnel_1   | 2024-08-09T09:53:18.385286Z DEBUG tunnel{peer="[::ffff:172.18.0.1]:35330" forwarded_for="62.19.169.67" id="0191368e-80d2-7c20-b753-a2e61aef8ac4" remote="192.168.88.1:13231"}: wstunnel::udp: Connected to udp endpoint 192.168.88.1:13231, aborted all other connection attempts
wstunnel_1   | 2024-08-09T09:53:18.385304Z  INFO tunnel{peer="[::ffff:172.18.0.1]:35330" forwarded_for="62.19.169.67" id="0191368e-80d2-7c20-b753-a2e61aef8ac4" remote="192.168.88.1:13231"}: wstunnel::tunnel::server: connected to Udp { timeout: None } 192.168.88.1:13231

[erebe]

if you are using wireguard windows be sure to check this

---

If you have trouble with wireguard https://github.com/erebe/wstunnel?#wireguard-and-wstunnel-

If wstunnel cannot connect to server while wireguard is on,
be sure you have added a static route via your main gateway for the ip of wstunnel server.
Else if you forward all the traffic without putting a static route,
you will endup looping your traffic wireguard interface -> wstunnel client -> wireguard interface

If you have trouble making it works on windows, please check this issue #252