TunSafe Forum

Welcome to the TunSafe Community Forum. This is open for discussions related to TunSafe and the WireGuard protocol.

You are not logged in.

#1 2018-12-16 23:42:42

ludde
Administrator
Registered: 2018-03-09
Posts: 127

New Release Candidate available: TunSafe v1.5-rc2

2018-12-16 - TunSafe v1.5-rc2

Changes:
1.Don't add endpoint route if route is not in included_routes
2.In BSD network code, don't add a route that's a subset of an Address
3.Don't add Excluded routes when Table=off
4.Display packet loss in Windows UI
5.Enable DNS block only if the DNS addr is a part of the routes
6.Support for WireGuard over TCP. Use Endpoint=tcp:// to connect
  to a TCP server, and use ListenPortTCP=12345 to listen on TCP.
7.Add support for Two Factor authentication. Read more on:
  https://github.com/TunSafe/TunSafe/wiki … th-TunSafe
8.Add support for a hybrid TCP/UDP mode that uses TCP for handshakes
  and UDP for data traffic. This means that PersistentKeepalive can
  be significantly raised to for example 300 seconds, since as long
  as the TCP connection remains open through NAT then the WireGuard
  connection will stay alive. Enable with Features=hybrid_tcp
9.Support for obfuscated WireGuard connections. Use ObfuscateKey=foo
  in the [Interface] section to setup the obfuscator key. It needs
  to be set to the same thing on both sides. There's also another
  setting to masquerade TCP connections as TLS. Use ObfuscateTCP to
  setup how TCP gets obfuscated. The default is to just make everything
  look totally random. It can also be set to tls-chrome or tls-firefox
  to make the traffic look like HTTPS traffic.
10.Display incoming invalid packets in Windows UI
11.Hide files not ending with .conf from list in Windows UI

Offline

#2 2018-12-17 14:56:22

forumuser
Member
Registered: 2018-06-14
Posts: 25

Re: New Release Candidate available: TunSafe v1.5-rc2

Thanks for implementing 11.! TunSafe finally does not display folders anymore that don't contain any .conf files at all big_smile

Offline

#3 2019-01-05 13:07:18

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

Hi ludde,

great news. TCP mode and masquerading traffic as HTTPS is exactly what I think has been missing from Wireguard to make it a complete solution that will make OpenVPN obsolete.

Just so I understand: these changes are TunSafe-specific, correct? Any plans to push them upstream to Wireguard. Are you talking to the Wireguard maintainers?

Happy new year to all of you & thanks,
Jan

Last edited by janw (2019-01-05 13:07:35)

Offline

#4 2019-01-05 14:54:34

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

I just compiled the most recent version of TunSafe for Linux box and tried to establish a TCP connection from my Windows PC. No success until now.

The client just hangs at

Connecting to tcp://51.15.xxx.xxx...

Obfuscation over UDP seems to be working fine.

This is what my config for TCP looks like:

On the server side, I added the following to the [Interface] section

ListenPortTCP = 443
ObfuscateKey=<key>
ObfuscateTCP=tls-chrome

On the client side, I added

ObfuscateKey=<key>
ObfuscateTCP=tls-chrome

and changed the endpoint to:

Endpoint = tcp://<my-ipv4>:443

Am I missing something?

Thanks.
Jan

Offline

#5 2019-01-06 15:55:40

ludde
Administrator
Registered: 2018-03-09
Posts: 127

Re: New Release Candidate available: TunSafe v1.5-rc2

No it looks right. Does the client actually hang and becomes unresponsive and you have to kill it, or does the UI still work?

Offline

#6 2019-01-06 16:01:27

ludde
Administrator
Registered: 2018-03-09
Posts: 127

Re: New Release Candidate available: TunSafe v1.5-rc2

On the client side, can you try telnet to that ip 51.15.xxx.xxx port 443 and see if the port is open?

Offline

#7 2019-01-07 13:34:45

hybtoy
Member
Registered: 2018-07-05
Posts: 20

Re: New Release Candidate available: TunSafe v1.5-rc2

ludde wrote:

2018-12-16 - TunSafe v1.5-rc2
6.Support for WireGuard over TCP. Use Endpoint=tcp:// to connect
  to a TCP server, and use ListenPortTCP=12345 to listen on TCP.
7.Add support for Two Factor authentication. Read more on:
  https://github.com/TunSafe/TunSafe/wiki … th-TunSafe
8.Add support for a hybrid TCP/UDP mode that uses TCP for handshakes
  and UDP for data traffic. This means that PersistentKeepalive can
  be significantly raised to for example 300 seconds, since as long
  as the TCP connection remains open through NAT then the WireGuard
  connection will stay alive. Enable with Features=hybrid_tcp
9.Support for obfuscated WireGuard connections. Use ObfuscateKey=foo
  in the [Interface] section to setup the obfuscator key. It needs
  to be set to the same thing on both sides. There's also another
  setting to masquerade TCP connections as TLS. Use ObfuscateTCP to
  setup how TCP gets obfuscated. The default is to just make everything
  look totally random. It can also be set to tls-chrome or tls-firefox
  to make the traffic look like HTTPS traffic.

Any "how-to"s for these? Didn't find any manual or info on site.
As I understand, server also has to support these features, so I have to install wg from your repository?

Offline

#8 2019-01-07 23:23:33

ludde
Administrator
Registered: 2018-03-09
Posts: 127

Re: New Release Candidate available: TunSafe v1.5-rc2

You need to build TunSafe and run it on the server.

Offline

#9 2019-01-08 05:10:46

hybtoy
Member
Registered: 2018-07-05
Posts: 20

Re: New Release Candidate available: TunSafe v1.5-rc2

ludde wrote:

You need to build TunSafe and run it on the server.

Ok, got it.
What about features explanation and how to set them up from the both sides?
Thanks.

Offline

#10 2019-01-08 12:09:57

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

ludde wrote:

No it looks right. Does the client actually hang and becomes unresponsive and you have to kill it, or does the UI still work?

Hi,

Client stays responsive, I cann cancel the connection attempt. Here is a bit more logging:

[12:01:06] Connecting to tcp://51.15.###.###...
[12:01:11] Retrying handshake, attempt 2...
[12:01:17] Retrying handshake, attempt 3...
[12:01:22] Retrying handshake, attempt 4...
[12:01:22] Making new Tcp socket due to too many handshake failures
[12:01:22] Connecting to tcp://51.15.100.114...
[12:01:27] Retrying handshake, attempt 5...

On the server, netstat shows that Wireguard is listening ...

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      20463/tunsafe

... but trying to connect using putty as telnet client, I get a timeout. Port 443 is not open.

The server is a VM (hosted at Scaleway) and there are no firewall restrictions in place.

Any idea?

Thanks,
Jan

Offline

#11 2019-01-08 13:31:28

ludde
Administrator
Registered: 2018-03-09
Posts: 127

Re: New Release Candidate available: TunSafe v1.5-rc2

janw wrote:

On the server, netstat shows that Wireguard is listening ...

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      20463/tunsafe

... but trying to connect using putty as telnet client, I get a timeout. Port 443 is not open.

If you stop the tunsafe server and instead run "nc -l 443" are you able to connect with telnet then, or do you see lots of junk being printed when the TunSafe client is trying to connect?

You can also run "tcpdump port 443" on the server while TunSafe server is running and let me know what it prints while the TunSafe client is trying to connect.

Offline

#12 2019-01-12 13:08:33

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

ludde wrote:
janw wrote:

On the server, netstat shows that Wireguard is listening ...

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      20463/tunsafe

... but trying to connect using putty as telnet client, I get a timeout. Port 443 is not open.

If you stop the tunsafe server and instead run "nc -l 443" are you able to connect with telnet then, or do you see lots of junk being printed when the TunSafe client is trying to connect?

You can also run "tcpdump port 443" on the server while TunSafe server is running and let me know what it prints while the TunSafe client is trying to connect.

Sorry, you're right. Seems to be an iptables issue. Will try again - I'm sure it'll work then. Thanks for your help troubleshooting this.

Best,
Jan

Offline

#13 2019-01-12 13:35:03

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

ludde wrote:

2018-12-16 - TunSafe v1.5-rc2
Add support for a hybrid TCP/UDP mode that uses TCP for handshakes
  and UDP for data traffic. This means that PersistentKeepalive can
  be significantly raised to for example 300 seconds, since as long
  as the TCP connection remains open through NAT then the WireGuard
  connection will stay alive. Enable with Features=hybrid_tcp

Got the TCP mode working. Thanks for implementing this!

Could you elaborate a bit on how the hybrid TCP/UDP mode works?

I got it working by adding the "Features=hybrid_tcp" flag to the "[Peer]" section on both sides. Log shows ...

Using chacha20-poly1305, hybrid_tcp

... so it seems to be working. Does this mean TunSafe will fall back to pure TCP if UDP traffic is blocked due to a restrictive firewall or do I have to do this manually using different configuration files?

Thanks a lot,
Jan

Offline

#14 2019-01-12 13:54:25

ludde
Administrator
Registered: 2018-03-09
Posts: 127

Re: New Release Candidate available: TunSafe v1.5-rc2

It means it uses TCP for handshaking and UDP for data. This means you don't need to use PersistentKeepalive=25 which will wake your mobile unneccessarily. It will not do any fallback or anything like that, but that's a good idea to add in the future.

Offline

#15 2019-01-12 14:08:25

janw
Member
Registered: 2018-10-23
Posts: 11

Re: New Release Candidate available: TunSafe v1.5-rc2

Hi ludde,

thanks for your quick reply. With some kind of TCP/UDP -> TCP fallback, I think TunSafe will be the perfect VPN: the user will automatically get the best performance possible under the conditions of the network available, i.e. UDP if it can get through and TCP if there are restrictive firewall rules in place (I guess even very restrictive ones like China's great firewall thanks to the ObfuscateTCP option).

Do you plan to submit your feature additions for WireGuard in the future?

Thanks a lot for you work!

Cheers,
Jan

Offline

Board footer

Powered by FluxBB