wstunnel: Tunnel all your traffic over Websocket or HTTP2 – Bypass firewalls/DPI


Most of the time when you are using a public network, you are behind some kind of firewall or proxy. One of their purposes is to constrain you to only use certain kinds of protocols and consult only a subset of the web. Nowadays, the most widespread protocol is http and is de facto allowed by third-party equipment.

Wstunnel uses the websocket protocol which is compatible with http to bypass firewalls and proxies. Wstunnel allows you to tunnel whatever traffic you want and access whatever resources/site you need.

What to expect:

  • Easy to use
  • Good error messages and debug information
  • Static forward and reverse tunneling (TCP, UDP, Unix socket, Stdio)
  • Dynamic tunneling (TCP, UDP Socks5 proxy, and Transparent Proxy)
  • Support for http proxy (when behind one)
  • Support of proxy protocol
  • Support for tls/https server with certificates auto-reload (with an embedded self-signed certificate, or your own)
  • Support of mTLS with certificates auto-reload – documentation here
  • Support IPv6
  • Support for Websocket and HTTP2 as transport protocol (websocket is more performant)
  • Standalone binaries (so just cp it where you want) here

Maximize your stealthiness/Make your traffic discrete


  • Use wstunnel with TLS activated (wss://) and use your own certificate
    • Embedded certificate is self-signed and are the same for everyone, so can be easily fingerprinted/flagged
    • Use valid certificate (i.e: with Let’s Encrypt), self-signed certificate are suspicious
  • Use a custom http path prefix (see --http-upgrade-path-prefix option)
    • To avoid having the same url than every other wstunnel user
  • Change your tls-sni-override to a domain is known to be allowed (i.e:,, etc…)
    • this will not work if your wstunnel server is behind a reverse proxy (i.e: Nginx, Cloudflare, HAProxy, …)

Install & Use

Copyright (c) 2016-2024, Erèbe – Romain Gerard