wstunnel: Tunnel all your traffic over Websocket or HTTP2 – Bypass firewalls/DPI

wstunnel

Most of the time when you are using a public network, you are behind some kind of firewall or proxy. One of their purposes is to constrain you to only use certain kinds of protocols and consult only a subset of the web. Nowadays, the most widespread protocol is http and is de facto allowed by third-party equipment.

Wstunnel uses the websocket protocol which is compatible with http to bypass firewalls and proxies. Wstunnel allows you to tunnel whatever traffic you want and access whatever resources/site you need.

What to expect:

• Easy to use
• Good error messages and debug information
• Static forward and reverse tunneling (TCP, UDP, Unix socket, Stdio)
• Dynamic tunneling (TCP, UDP Socks5 proxy, and Transparent Proxy)
• Support for http proxy (when behind one)
• Support of proxy protocol
• Support for tls/https server with certificates auto-reload (with an embedded self-signed certificate, or your own)
• Support of mTLS with certificates auto-reload – documentation here
• Support IPv6
• Support for Websocket and HTTP2 as transport protocol (websocket is more performant)
• Standalone binaries (so just cp it where you want) here

• Use wstunnel with TLS activated (wss://) and use your own certificate
  • Embedded certificate is self-signed and are the same for everyone, so can be easily fingerprinted/flagged
  • Use valid certificate (i.e: with Let’s Encrypt), self-signed certificate are suspicious
• Use a custom http path prefix (see --http-upgrade-path-prefix option)
  • To avoid having the same url than every other wstunnel user
• Change your tls-sni-override to a domain is known to be allowed (i.e: google.com, baidu.com, etc…)
  • this will not work if your wstunnel server is behind a reverse proxy (i.e: Nginx, Cloudflare, HAProxy, …)

Install & Use

Copyright (c) 2016-2024, Erèbe – Romain Gerard