wstunnel
Most of the time when you are using a public network, you are behind some kind of firewall or proxy. One of their purposes is to constrain you to only use certain kinds of protocols and consult only a subset of the web. Nowadays, the most widespread protocol is http and is de facto allowed by third-party equipment.
Wstunnel uses the websocket protocol which is compatible with http to bypass firewalls and proxies. Wstunnel allows you to tunnel whatever traffic you want and access whatever resources/site you need.
What to expect:
- Easy to use
- Good error messages and debug information
- Static forward and reverse tunneling (TCP, UDP, Unix socket, Stdio)
- Dynamic tunneling (TCP, UDP Socks5 proxy, and Transparent Proxy)
- Support for http proxy (when behind one)
- Support of proxy protocol
- Support for tls/https server with certificates auto-reload (with an embedded self-signed certificate, or your own)
- Support of mTLS with certificates auto-reload – documentation here
- Support IPv6
- Support for Websocket and HTTP2 as transport protocol (websocket is more performant)
- Standalone binaries (so just cp it where you want) here
Maximize your stealthiness/Make your traffic discrete
- Use wstunnel with TLS activated (wss://) and use your own certificate
- Embedded certificate is self-signed and are the same for everyone, so can be easily fingerprinted/flagged
- Use valid certificate (i.e: with Let’s Encrypt), self-signed certificate are suspicious
- Use a custom http path prefix (see
--http-upgrade-path-prefixoption)- To avoid having the same url than every other wstunnel user
- Change your tls-sni-override to a domain is known to be allowed (i.e: google.com, baidu.com, etc…)
- this will not work if your wstunnel server is behind a reverse proxy (i.e: Nginx, Cloudflare, HAProxy, …)
Install & Use
Copyright (c) 2016-2024, Erèbe – Romain Gerard