{"id":14563631,"url":"https://github.com/SenseUnit/dtlspipe","last_synced_at":"2025-09-04T06:32:38.424Z","repository":{"id":191292652,"uuid":"683751005","full_name":"SenseUnit/dtlspipe","owner":"SenseUnit","description":"Generic DTLS wrapper for UDP sessions","archived":false,"fork":false,"pushed_at":"2025-08-16T11:51:40.000Z","size":115,"stargazers_count":158,"open_issues_count":1,"forks_count":11,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-08-16T13:45:25.190Z","etag":null,"topics":["dpi","dpi-bypassing","dtls","dtls-psk","dtls12","openvpn","psk","stunnel","udp","udp-proxy","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SenseUnit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-08-27T15:34:31.000Z","updated_at":"2025-08-16T11:50:34.000Z","dependencies_parsed_at":"2023-09-28T17:28:37.666Z","dependency_job_id":"f85fc280-5b4b-4f54-9723-cddb7acf2ac8","html_url":"https://github.com/SenseUnit/dtlspipe","commit_stats":null,"previous_names":["snawoot/dtlspipe","senseunit/dtlspipe"],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/SenseUnit/dtlspipe","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fdtlspipe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fdtlspipe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fdtlspipe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fdtlspipe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SenseUnit","download_url":"https://codeload.github.com/SenseUnit/dtlspipe/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fdtlspipe/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273566480,"owners_count":25128621,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dpi","dpi-bypassing","dtls","dtls-psk","dtls12","openvpn","psk","stunnel","udp","udp-proxy","wireguard"],"created_at":"2024-09-07T02:04:18.632Z","updated_at":"2025-09-04T06:32:38.394Z","avatar_url":"https://github.com/SenseUnit.png","language":"Go","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"# dtlspipe\n\nGeneric DTLS wrapper for UDP sessions. Like `stunnel`, but for UDP. Suitable for wrapping Wireguard or UDP OpenVPN or any other connection-oriented UDP sessions.\n\n\"Client\" receives plaintest UDP traffic and forwards it to \"Server\" via encrypted DTLS connection. \"Server\" listens UDP port and accepts encrypted DTLS sessions, forwarding messages from each session as a separate UDP connection to plaintext UDP port.\n\n## Features\n\n* Cross-platform (Windows/Mac OS/Linux/Android/\\*BSD)\n* Uses proven DTLS crypto for secure datagram tunneling\n* Simple configuration: just pre-shared key, listen address and forward address.\n\n## Installation\n\n### Binaries\n\nPre-built binaries are available [here](https://github.com/SenseUnit/dtlspipe/releases/latest).\n\n### Build from source\n\nAlternatively, you may install dtlspipe from source. Run the following command within the source directory:\n\n```\nmake install\n```\n\n## Usage\n\n### Generic case\n\nLet's assume you have following setup: you have server with public IP address 203.0.113.11, running some UDP service on port 514. You want to access this service securely and have UDP datagrams between you and this service encrypted and authenticated.\n\n1. Generate pre-shared key with command `dtlspipe genpsk`\n2. Run dtlspipe-server on server machine: `dtlspipe -psk xxxxxxxxxxxx server 0.0.0.0:2815 127.0.0.1:514`\n3. Run dtlspipe-client on your machine: `dtlspipe -psk xxxxxxxxxxxx client 127.0.0.1:2816 203.0.113.11:2815`\n4. Use address `127.0.0.1:2816` instead of `203.0.113.11:514` for communication with the service.\n\nFew notes:\n\n* You may use any ports instead of 2815 and 2816.\n* Use of localhost address `127.0.0.1` for port bind is optional too and used in example to restrict port access from localhost only. Use `0.0.0.0` to allow network access from outside.\n* PSK can be also specified via `DTLSPIPE_PSK` environment variable.\n\n### Wireguard\n\ndtlspipe setup can be done using example for generic case, but more specifically, dtlspipe server should point to the wireguard server port and wireguard client should communicate with port of dtlspipe client.\n\nYou need to make following adjustments to wireguard client config:\n\n1. Use bind address of the dtlspipe client as endpoint for client's wireguard connection.\n2. Use smaller MTU for wireguard tunnel, add `MTU = 1280` to the `[Peer]` section of wireguard client and server tunnel config.\n3. Exclude dtlspipe server address from `AllowedIPs` in the wireguard client config. [This calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) may help you. Example for server address `203.0.113.11`:\n\n```\nAllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0\n```\n\n## Additional notes\n\ndtlspipe server skips HelloVerify message by default in order to workaround some DPI systems. It's associated with [some DoS security risks](https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1). Please add server option `-skip-hello-verify=false` if such behavior is undesirable. Alternatively such risks may be mitigated with firewall, restricting sessions count on server port.\n\n## Synopsis\n\n```\n$ dtlspipe -h\nUsage:\n\ndtlspipe [OPTION]... server \u003cBIND ADDRESS\u003e \u003cREMOTE ADDRESS\u003e\n\n  Run server listening on BIND ADDRESS for DTLS datagrams and forwarding decrypted UDP datagrams to REMOTE ADDRESS.\n\ndtlspipe [OPTION]... client \u003cBIND ADDRESS\u003e \u003cREMOTE ADDRESS\u003e\n\n  Run client listening on BIND ADDRESS for UDP datagrams and forwarding encrypted DTLS datagrams to REMOTE ADDRESS.\n\ndtlspipe [OPTION]... hoppingclient \u003cBIND ADDRESS\u003e \u003cENDPOINT GROUP\u003e [ENDPOINT GROUP]...\n\n  Run client listening on BIND ADDRESS for UDP datagrams and forwarding encrypted DTLS datagrams to a random chosen endpoints.\n\n  Endpoints are specified by a list of one or more ENDPOINT GROUP. ENDPOINT GROUP syntax is defined by following ABNF:\n\n    ENDPOINT-GROUP = address-term *( \",\" address-term ) \":\" Port\n    address-term = Domain / IP-range / IP-prefix / IP-address\n    Domain = \u003cDefined in Section 4.1.2 of [RFC5321]\u003e\n    IP-range = ( IPv4address \"..\" IPv4address ) / ( IPv6address \"..\" IPv6address )\n    IP-prefix = IP-address \"/\" 1*DIGIT\n    IP-address = IPv6address / IPv4address\n    IPv4address = \u003cDefined in Section 4.1 of [RFC5954]\u003e\n    IPv6address = \u003cDefined in Section 4.1 of [RFC5954]\u003e\n\n  Endpoint is chosen randomly as follows.\n  First, random ENDPOINT GROUP is chosen with equal probability.\n  Next, address is chosen from address sets specified by that group, with probability\n  proportional to size of that set. Domain names and single addresses condidered \n  as sets having size 1, ranges and prefixes have size as count of addresses in it.\n\n  Example: 'example.org:20000-50000' '192.168.0.0/16,10.0.0.0/8,172.16.0.0-172.31.255.255:50000-60000'\n\ndtlspipe [OPTION]... genpsk\n\n  Generate and output PSK.\n\ndtlspipe ciphers\n\n  Print list of supported ciphers and exit.\n\ndtlspipe curves\n\n  Print list of supported elliptic curves and exit.\n\ndtlspipe version\n\n  Print program version and exit.\n\nOptions:\n  -cid\n    \tenable connection_id extension (default true)\n  -ciphers value\n    \tcolon-separated list of ciphers to use\n  -cpuprofile string\n    \twrite cpu profile to file\n  -curves value\n    \tcolon-separated list of curves to use\n  -identity string\n    \tclient identity sent to server\n  -idle-time duration\n    \tmax idle time for UDP session (default 30s)\n  -key-length uint\n    \tgenerate key with specified length (default 16)\n  -mtu int\n    \tMTU used for DTLS fragments (default 1400)\n  -psk string\n    \thex-encoded pre-shared key. Can be generated with genpsk subcommand\n  -rate-limit value\n    \tlimit for incoming connections rate. Format: \u003climit\u003e/\u003ctime duration\u003e or empty string to disable (default 20/1m0s)\n  -skip-hello-verify\n    \t(server only) skip hello verify request. Useful to workaround DPI (default true)\n  -stale-mode value\n    \twhich stale side of connection makes whole session stale (both, either, left, right) (default either)\n  -time-limit duration\n    \tlimit for each session duration. Use single value X for fixed limit or range X-Y for randomized limit\n  -timeout duration\n    \tnetwork operation timeout (default 10s)\n```\n\n## See also\n\n* [Project Wiki](https://github.com/SenseUnit/dtlspipe/wiki)\n* [Community in Telegram](https://t.me/alternative_proxy/8557)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSenseUnit%2Fdtlspipe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSenseUnit%2Fdtlspipe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSenseUnit%2Fdtlspipe/lists"}