WIWS stand for Wireguard In a WebSocket, more accurately it's a Linuxserver docker (W/ server mode forced) container that encapsulate a Wireguard server to go through a WebSocketTunnel.
Long story short, like all the student's in there twenties I was looking for a way to bypass firewall rules at my school which blocks UDP, VPN connexions even via TCP etc (a true nightmare belive me). In my researches I came across Kirill888's notes on the subject (kudos to him) witch inspired me to create this container.
TL DR If the firewall your trying to bypass doesn't block the 443 TCP port, this container should do the trick (you must additionally set WSSERVERPORT
to 443).
-
First of all, note that this container requires the Linux's headers to be passed
-v /lib/modules:/lib/modules
, so if you want to run the container on a Windows or MacOS machine you'll need to pass them by another way. -
Secondly, this project is only available for
x86_64 | amd64
on Linux, MacOS and Windows (No phones). Because WSTunnel isn't consistently releasing the binary forarm64
norarmhf
and WSTunnel on a phone might be too complicated to pull of. -
Thirdly you need root access on the client for Linux or MacOS or Windows for windows due to some PowerShell line execution.
Note that even if WSTunnel is installed, this is just an addon and the classic Wireguard tunnel will still run normally (maybe for your phone and arm).
In order to deploy a wiws docker container you can use the docker CLI or the Docker-Compose. The wiws docker container is based on the Linux server Wireguard Docker container but in order to use WSTunnel, some required environment variables were added to the container, a new port was also added to the container to allow the WSTunnelto listen and forward the traffic. I listed below all the parameters that you need to set in order to use the wiws docker container followed by usage exemples.
Let me see the list !
Parameter | Function | Optional | Default value |
---|---|---|---|
--name=wiws |
Set the container name on the network (usefull when using the provided nginx configs). | ✔️ | |
-e PUID=1000 |
Used to avoid eventual permission issues. see why. | ✔️ | |
-e PGID=1000 |
Used to avoid eventual permission issues. see why. | ✔️ | |
-e TZ=Europe/Paris |
The timezone used by the container. | ✔️ | Europe/London |
-e PEERS=1 |
Number of peers to create confs for. Can also be a list of names: myPC,myPhone,myTablet (alphanumeric only, please do not excede 6 char long). |
❌ | |
-e PEERDNS=auto |
DNS server set in peer/client configs (can be set as 8.8.8.8). Used in server mode. Defaults to auto , which uses wireguard docker host's DNS via included CoreDNS forward. |
✔️ | auto |
-e INTERNAL_SUBNET=10.13.13.0 |
Internal subnet for the wireguard and server and peers (only change if it clashes). | ✔️ | 10.13.13.0 |
-e SERVERURL=wiws.domain.com |
External IP or domain name for docker host. Used in server mode. If set to auto , the container will try to determine and set the external IP automatically. |
✔️ | auto which will be your external IP |
-e SERVERPORT=51820 |
External port for classic Wireguard use. | ✔️ | 51820 |
-e USINGDNSMASQ=false |
if dnsmasq used by Linux and MacOS clients. It can be changed independently afterwards by editing the wstunnel.sh script. |
✔️ | false |
-e VERBOSE=false |
Causes the container to output full logs of WSTunnel. | ✔️ | false |
-e WSPREFIX="" |
The prefix used by an optionnal reverse proxy (see the NGINX-SWAG confs). | ✔️ | "" |
-e WSSERVERPORT=27832 |
External port for WSTunnel. | ✔️ | 27832 |
-p 27832:27832/tcp |
WSTunnel port. | ❌ | |
-p 51820:51820/udp |
Wireguard port, used if you want to keep a normal Wireguard | ✔️ | |
-v /path/to/data/config:/config |
Contains all relevant configuration files (needed for persistent data). | ❌ | |
-v /lib/modules:/lib/modules |
Maps host's modules folder. | ❌ |
docker-compose (recommended)
Need some help with docker compose? Docker Documentation is here
version: '3.3'
services:
wiws:
container_name: wiws
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
- PEERS=1
- PEERDNS=auto #optional defaults to 'auto'
- INTERNAL_SUBNET=10.13.13.0 #optional defaults to 10.13.13.0
- SERVERURL=wiws.domain.com #optional defaults to 'auto' which will be your external IP
- SERVERPORT=51820 #optional defaults to 51820
- USINGDNSMASQ=false #optional defaults to false
- WSPREFIX="" #optional defaults to ""
- WSSERVERPORT=27832 #optional defaults to 27832
ports:
- 27832:27832/tcp
- 51820:51820/udp #optional used if you want to keep a normal Wireguard server
volumes:
- '/path/to/data/config:/config'
- '/lib/modules:/lib/modules'
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
image: vic1707/wiws
docker cli
Need some help with docker CLI? Docker Documentation is here
docker run -d \
--name=wiws \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Paris \
-e PEERS=1 \
-e PEERDNS=auto `#optional defaults to 'auto'` \
-e INTERNAL_SUBNET=10.13.13.0 `#optional defaults to 10.13.13.0` \
-e SERVERURL=wiws.domain.com `#optional defaults to 'auto' which will be your external IP` \
-e SERVERPORT=51820 `#optional defaults to 51820` \
-e USINGDNSMASQ=false `#optional defaults to false` \
-e WSPREFIX="" `#optional defaults to ""` \
-e WSSERVERPORT=27832 `#optional defaults to 27832` \
-p 27832:27832/tcp \
-p 51820:51820/udp `#optional used if you want to keep a normal Wireguard server` \
-v /path/to/data/config:/config \
-v /lib/modules:/lib/modules \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
vic1707/wiws
Once the server is started it will generate a usefull a batch of files. You will need to save them in order to put them on the client.
File | Function |
---|---|
peer.conf & peer.png |
For simple Wireguard server (requires port 51820 to be binded to SERVERPORT ) |
peer.unix.conf & peer.win.conf |
For Wireguard by WSTunnel (requires port 27832 to be binded to WSSERVERPORT ) |
peer.wstunnel.sh & peer.wstunnel.ps1 |
(.sh for Linux and MacOS, .ps1 for Windows) to use the WSTunnel. |
On all clients using the WSTunnel you will need to install the latest WSTunnel binary and add it to PATH
.
Windows process
- run
reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f
in an administrator Window's PowerShell, this allows Wireguard to execute external scripts. - Create
C:\wstunnel\bin
and add it toPATH
HOW TO - Copy the downloaded binary to
C:\wstunnel\bin
MacOS and Linux process
- Copy the downloaded binary to
/usr/local/bin/wstunnel
(Don't forget tochmod +x
it!!)
Get your file batch from earlier.
On Windows you'll copy wstunnel.ps1
in C:\wstunnel\
.
On Linux and MacOS you'll copy wstunnel.sh
in /etc/wireguard/
(don't forget to chmod +x
it!!).
Those paths and script names can be customized by editing the .unix.conf
or .win.conf
.
Unfortunately, the MacOS GUI of Wireguard isn't compatible with WSTunnel, but the GUI works fine on Windows.
If the GUI isn't accepting the wspeer.XXXX.conf
you'll have to use the CLI:
wg-quick up wspeer.XXXX.conf
to connect to the serverwg-quick down wspeer.XXXX.conf
to disconnect.
- Shell access whilst the container is running:
docker exec -it wiws /bin/bash
- To monitor the logs of the container in realtime:
docker logs -f wiws
If you're facing problem with the container, you should try running the container with the VERBOSE
flag set to true
.
This option should allow you to see the logs of wstunnel.
To efficiently debug the problem you should try different things step by step.
-
Check if a normal Wireguard connection works.
-
Check if you can connect to WSTunnel from your local network (by running the
wstunnel
client command directly on your machine) and request a packet (I personnaly usenetcat
to do this). a. If you can, you should see a new connection in logs of the container and so the problem is elsewere. b. If you can't, open an issue with all your configuration and the logs of the container. -
Check if you can connect to WSTunnel from the internet (first without any reverse proxy then with it).