Forum Replies Created
-
Posts
-
Hello thrik,
It’s important to note that using AllowedIPs = 0.0.0.0/0, ::/0 already covers the entire address space. Therefore, adding specific IPs like X.X.X.X/32 after this range is redundant. If your configuration file contains:
AllowedApps = firefox, qbittorrent AllowedIPs = X.X.X.X/32, X.X.X.X/32This configuration means that only the two listed applications (firefox and qbittorrent) will send data to the two specified IPs over the tunnel.
To achieve your goal of allowing almost all IPs to go outside your tunnel with some being inside, you might need to reconsider your configuration and ensure that there are no conflicts between AllowedApps and AllowedIPs.
Hope this helps!
I’m currently investigating a panic issue caused by boringtun when processing certain specific network packets, and your situation might be similar. Are you using WireSock in NAT or Virtual Adapter mode? Could you please gather the crash dump for further analysis?
Благодарю за предоставленную информацию. Да, я знаю что у WireSockUI есть проблемы. У этого приложения сложная судьба и несколько авторов. К сожалению, я крайне редко работаю с C#, и UI не моя специализация, но постараюсь найти время заняться обнаруженными багами.
I’m glad to hear that only using one filter seems to be a viable workaround for you. I understand the continued issues you’re experiencing with the file path and the .exe in the filter; indeed, this seems to be a limitation with WireSockUI.
In contrast, the CLI client does not have these issues, and you might find it more accommodating for your use case. I suggest giving it a try while we’re working on improvements to WireSockUI.
I will also try to allocate some time to look into improving WireSockUI, although I should note that my proficiency isn’t particularly strong in C#. Despite that, I’ll certainly do my best to address these issues and provide a better experience.
Thank you again for bringing this to my attention, and for your patience as we work on these improvements.
Cheers!
I advise against using both AllowedApps and DisallowedApps in the same configuration file. When AllowedApps is used, it implies that only the traffic from specified apps will be forwarded over the tunnel. Conversely, using DisallowedApps means that all traffic, except from these designated apps, will be sent over the tunnel. Combining both parameters can complicate the logic and potentially cause ambiguity in the routing rules.
Please avoid using quotation marks. The string specified in AllowedApps/DisallowedApps is divided by commas, and the resulting substrings are employed as matching patterns. If a pattern includes a backslash (
\), it is treated as a complete pathname. Conversely, without a backslash, it is interpreted as a simple application name.Could you kindly provide the complete configuration file, excluding any keys, for review? Please be aware that the configuration accepts only a single DisallowedApps parameter; however, it can contain a list of apps, separated by commas.
Sorry to bother, but does SOCKS5 proxy server actually requires to be on the same server where WireGuard is?
No, it’s not mandatory for the SOCKS5 server and the WireGuard (WG) server to operate on the same machine; they can indeed function on separate systems. In fact, I currently have such configurations in operation. However, it’s vital to underline that the SOCKS5 server MUST support UDP ASSOCIATE. Unfortunately, most ‘free’ SOCKS5 servers do not enable this feature.
After careful review, I acknowledge that the proposed modification is indeed feasible. However, it’s important to note that this task will demand a substantial investment of time, potentially spanning several full working days, for both implementation and rigorous testing. Given that I am currently employed full-time, my availability is limited. Unfortunately, I am unable to provide a specific timeline or estimated completion date at this moment. Nevertheless, please be assured that this feature has been added to my TODO list and will be addressed as soon as my schedule permits.
Currently, interaction with the service running in the background is limited to standard Windows tools. I’m developing a more sophisticated version of the service, although my progress is constrained by limited time availability.
WiresockUI operates autonomously to start and control the WireGuard Tunnel. However, it lacks the functionality to regulate the background service or to operate concurrently with it.
Could you kindly elaborate on your query regarding port forwarding? You should be able to access your local ports from other WireGuard clients, provided they are connected to the same VPN network. However, please note that you may need to configure your Windows Firewall to open these specific ports or disable the firewall entirely.
Thank you for bringing this to our attention. I will make an effort to find some time to work on WireSockUI.
Вcе тесты выше в NAT mode (без
-lac). Возможно проблемы которые у Вас возникают связаны с разным MTU, неплохо было записать трафик запустив клиента с-log-level allи посмотреть что где ломается.Наконец дошли руки прогнать несколько тестов. Конфигурация:
Peer 1 (WireGuard Server):
—————————————
Windows 10 x64
WireGuard For Windows v0.5.3
WireSock VPN Gateway v1.1.4
—————————————
Peer 2 (WireGuard Client):
Windows 11 x64
WireSock VPN Client v1.2.28
—————————————
Peer 3 (WireGuard Client):
Windows 11 ARM64
WireSock VPN Client v1.2.28
—————————————
Peer 2 WireGuard configuration (NAT mode):
[Interface] PrivateKey = --REMOVED-KEY-- Address = 10.10.11.3/24 DNS = 8.8.8.8, 1.1.1.1 MTU = 1412 [Peer] PublicKey = --REMOVED-KEY-- AllowedIPs = 0.0.0.0/0 Endpoint = ENDPOINT:PORT PersistentKeepalive = 25 AllowedApps = chrome, mstsc, iperf3, simple-web-server DisallowedIPs = 192.168.3.0/24, 10.10.1.0/24—————————————
Peer 3 WireGuard configuration (NAT mode):
[Interface] PrivateKey = --REMOVED-KEY-- Address = 10.10.11.6/24 DNS = 8.8.8.8, 1.1.1.1 MTU = 1412 [Peer] PublicKey = --REMOVED-KEY-- AllowedIPs = 0.0.0.0/0 Endpoint = ENDPOINT:PORT PersistentKeepalive = 25 ; WireSock extensions DisallowedIPs = 192.168.3.0/24, 10.10.1.0/24—————————————
На Peer 2 запущены:
iperf3.exe -s simple-file-server.exeНа Peer 1 и Peer 2 запускаем iperf3 и тестовые скрипты simple-file-server/test:
python fs-test-single.py download test-file-1.txt 2000000 http://10.10.11.3:3000 File does not exist on the server. Uploading the file... File: test-file-1.txt already exists with the correct size of 2000000 bytes. File generated: test-file-1.txt, Size: 2000000 bytes, Time taken: 0.00s File uploaded: test-file-1.txt, Status: 200, Time taken: 12.59s File downloaded: test-file-1.txt, Status: 200, Time taken: 11.58s File deleted: test-file-1.txt, Status: 200, Time taken: 0.22siperf3 -c 10.10.11.3 Connecting to host 10.10.11.3, port 5201 [ 4] local 10.10.11.1 port 60574 connected to 10.10.11.3 port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.01 sec 1.25 MBytes 10.4 Mbits/sec [ 4] 1.01-2.00 sec 128 KBytes 1.05 Mbits/sec [ 4] 2.00-3.01 sec 256 KBytes 2.07 Mbits/sec [ 4] 3.01-4.01 sec 384 KBytes 3.14 Mbits/sec [ 4] 4.01-5.00 sec 384 KBytes 3.19 Mbits/sec [ 4] 5.00-6.00 sec 384 KBytes 3.14 Mbits/sec [ 4] 6.00-7.00 sec 128 KBytes 1.05 Mbits/sec [ 4] 7.00-8.01 sec 128 KBytes 1.03 Mbits/sec [ 4] 8.01-9.00 sec 256 KBytes 2.12 Mbits/sec [ 4] 9.00-10.00 sec 384 KBytes 3.15 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 3.62 MBytes 3.04 Mbits/sec sender [ 4] 0.00-10.00 sec 3.45 MBytes 2.90 Mbits/sec receiverЕще обнаружил следующую проблему. Клиентом является Win2008R2+IIS ftp server + IIS web server. Если сервис стартует без -lac (wiresock-client.exe install -start-type 2 -config wg1.conf -log-level none), то при обращении со стороны wg интерфейса к ftp серверу в passive mode соединение крэшится, аналогично при обращении к web серверу. Если сервис стартует с -lac (wiresock-client.exe install -start-type 2 -config wg1.conf -log-level none -lac), то проблемы не наблюдается.
Если не затруднит, то не помешали бы подробности. Если я правильно понимаю, то вы пытаетесь получить доступ к указанным сервисам через туннель? Что значит соединение крешится? Не устанавливается или работает и рвется через какое-то время?
Режимы с виртуальным адаптером и без довольно сильно отличаются, во втором случае никакого дополнительного сетевого интерфейса в системе нет, весь трафик идет с дефолтового интерфейса и нужный упаковывается в туннель после NAT (адрес источника подменяется на адрес из конфига). В обратную сторону трафик распаковывается из туннеля и снова проходит через NAT (теперь адрес назначения меняется на реальный локальный сетевой адрес).
Хотелось-бы чтобы инициировал с заданным в конфиге портом, официальный клиент так делает, в некоторых случаях это удобно.
Это в принципе не сложно, если адрес свободен. Можно будет добавить в следующей версии.
День добрый!
Не могу понять, вопрос о клиенте Wiresock? Клиент не слушает какой-либо специфический порт и функционирует только как клиент (инициатор туннеля), параметр keepalive передается в BoringTun, который периодически отправляет пакеты keepalive. В принципе, хотя из интерфейса библиотеки это и неочевидно, BoringTun позволяет реализовать и серверную часть (принимать соединения). Возможно, займусь как-нибудь если будет свободное время, тема в основном смежная с поддержкой множественных туннелей.
