Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pufferffish/wireproxy

Wireguard client that exposes itself as a socks5 proxy
https://github.com/pufferffish/wireproxy

golang network proxy socks5 socks5-proxy vpn wireguard wireguard-tunnel

Last synced: 25 days ago
JSON representation

Wireguard client that exposes itself as a socks5 proxy

Host: GitHub
URL: https://github.com/pufferffish/wireproxy
Owner: pufferffish
License: isc
Created: 2022-03-11T12:32:10.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2024-04-19T14:43:28.000Z (7 months ago)
Last Synced: 2024-05-22T06:08:32.876Z (6 months ago)
Topics: golang, network, proxy, socks5, socks5-proxy, vpn, wireguard, wireguard-tunnel
Language: Go
Homepage:
Size: 167 KB
Stars: 4,003
Watchers: 25
Forks: 229
Open Issues: 34
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

awesome-repositories - pufferffish/wireproxy - Wireguard client that exposes itself as a socks5 proxy (Go)
awesome-starred - pufferffish/wireproxy - Wireguard client that exposes itself as a socks5 proxy (golang)

README

        # wireproxy

[![ISC licensed](https://img.shields.io/badge/license-ISC-blue)](./LICENSE)

[![Build status](https://github.com/octeep/wireproxy/actions/workflows/build.yml/badge.svg)](https://github.com/octeep/wireproxy/actions)

[![Documentation](https://img.shields.io/badge/godoc-wireproxy-blue)](https://pkg.go.dev/github.com/octeep/wireproxy)

A wireguard client that exposes itself as a socks5/http proxy or tunnels.

# What is this

`wireproxy` is a completely userspace application that connects to a wireguard peer,

and exposes a socks5/http proxy or tunnels on the machine. This can be useful if you need

to connect to certain sites via a wireguard peer, but can't be bothered to setup a new network

interface for whatever reasons.

# Why you might want this

- You simply want to use wireguard as a way to proxy some traffic.

- You don't want root permission just to change wireguard settings.

Currently, I'm running wireproxy connected to a wireguard server in another country,

and configured my browser to use wireproxy for certain sites. It's pretty useful since

wireproxy is completely isolated from my network interfaces, and I don't need root to configure

anything.

Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/artem-russkikh/wireproxy-awg)

of wireproxy by [@artem-russkikh](https://github.com/artem-russkikh).

# Feature

- TCP static routing for client and server

- SOCKS5/HTTP proxy (currently only CONNECT is supported)

# TODO

- UDP Support in SOCKS5

- UDP static routing

# Usage

```

./wireproxy [-c path to config]

```

```

usage: wireproxy [-h|--help] [-c|--config ""] [-s|--silent]

                 [-d|--daemon] [-i|--info ""] [-v|--version]

                 [-n|--configtest]

                 Userspace wireguard client for proxying

Arguments:

  -h  --help        Print help information

  -c  --config      Path of configuration file

                    Default paths: /etc/wireproxy/wireproxy.conf, $HOME/.config/wireproxy.conf

  -s  --silent      Silent mode

  -d  --daemon      Make wireproxy run in background

  -i  --info        Specify the address and port for exposing health status

  -v  --version     Print version

  -n  --configtest  Configtest mode. Only check the configuration file for

                    validity.

```

# Build instruction

```

git clone https://github.com/octeep/wireproxy

cd wireproxy

make

```

# Use with VPN

Instructions for using wireproxy with Firefox container tabs and auto-start on MacOS can be found [here](/UseWithVPN.md).

# Sample config file

```

# The [Interface] and [Peer] configurations follow the same semantics and meaning

# of a wg-quick configuration. To understand what these fields mean, please refer to:

# https://wiki.archlinux.org/title/WireGuard#Persistent_configuration

# https://www.wireguard.com/#simple-network-interface

[Interface]

Address = 10.200.200.2/32 # The subnet should be /32 and /128 for IPv4 and v6 respectively

# MTU = 1420 (optional)

PrivateKey = uCTIK+56CPyCvwJxmU5dBfuyJvPuSXAq1FzHdnIxe1Q=

# PrivateKey = $MY_WIREGUARD_PRIVATE_KEY # Alternatively, reference environment variables

DNS = 10.200.200.1

[Peer]

PublicKey = QP+A67Z2UBrMgvNIdHv8gPel5URWNLS4B3ZQ2hQIZlg=

# PresharedKey = UItQuvLsyh50ucXHfjF0bbR4IIpVBd74lwKc8uIPXXs= (optional)

Endpoint = my.ddns.example.com:51820

# PersistentKeepalive = 25 (optional)

# TCPClientTunnel is a tunnel listening on your machine,

# and it forwards any TCP traffic received to the specified target via wireguard.

# Flow:

#  --> localhost:25565 --(wireguard)--> play.cubecraft.net:25565

[TCPClientTunnel]

BindAddress = 127.0.0.1:25565

Target = play.cubecraft.net:25565

# TCPServerTunnel is a tunnel listening on wireguard,

# and it forwards any TCP traffic received to the specified target via local network.

# Flow:

#  --(wireguard)--> 172.16.31.2:3422 --> localhost:25545

[TCPServerTunnel]

ListenPort = 3422

Target = localhost:25545

# STDIOTunnel is a tunnel connecting the standard input and output of the wireproxy

# process to the specified TCP target via wireguard.

# This is especially useful to use wireproxy as a ProxyCommand parameter in openssh

# For example:

#    ssh -o ProxyCommand='wireproxy -c myconfig.conf' ssh.myserver.net

# Flow:

# Piped command -->(wireguard)--> ssh.myserver.net:22

[STDIOTunnel]

Target = ssh.myserver.net:22

# Socks5 creates a socks5 proxy on your LAN, and all traffic would be routed via wireguard.

[Socks5]

BindAddress = 127.0.0.1:25344

# Socks5 authentication parameters, specifying username and password enables

# proxy authentication.

#Username = ...

# Avoid using spaces in the password field

#Password = ...

# http creates a http proxy on your LAN, and all traffic would be routed via wireguard.

[http]

BindAddress = 127.0.0.1:25345

# HTTP authentication parameters, specifying username and password enables

# proxy authentication.

#Username = ...

# Avoid using spaces in the password field

#Password = ...

```

Alternatively, if you already have a wireguard config, you can import it in the

wireproxy config file like this:

```

WGConfig = 

# Same semantics as above

[TCPClientTunnel]

...

[TCPServerTunnel]

...

[Socks5]

...

```

Having multiple peers is also supported. `AllowedIPs` would need to be specified

such that wireproxy would know which peer to forward to.

```

[Interface]

Address = 10.254.254.40/32

PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

[Peer]

Endpoint = 192.168.0.204:51820

PublicKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=

AllowedIPs = 10.254.254.100/32

PersistentKeepalive = 25

[Peer]

PublicKey = ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=

AllowedIPs = 10.254.254.1/32, fdee:1337:c000:d00d::1/128

Endpoint = 172.16.0.185:44044

PersistentKeepalive = 25

[TCPServerTunnel]

ListenPort = 5000

Target = service-one.servicenet:5000

[TCPServerTunnel]

ListenPort = 5001

Target = service-two.servicenet:5001

[TCPServerTunnel]

ListenPort = 5080

Target = service-three.servicenet:80

```

Wireproxy can also allow peers to connect to it:

```

[Interface]

ListenPort = 5400

...

[Peer]

PublicKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=

AllowedIPs = 10.254.254.100/32

# Note there is no Endpoint defined here.

```

# Health endpoint

Wireproxy supports exposing a health endpoint for monitoring purposes.

The argument `--info/-i` specifies an address and port (e.g. `localhost:9080`), which exposes a HTTP server that provides health status metric of the server.

Currently two endpoints are implemented:

`/metrics`: Exposes information of the wireguard daemon, this provides the same information you would get with `wg show`. [This](https://www.wireguard.com/xplatform/#example-dialog) shows an example of what the response would look like.

`/readyz`: This responds with a json which shows the last time a pong is received from an IP specified with `CheckAlive`. When `CheckAlive` is set, a ping is sent out to addresses in `CheckAlive` per `CheckAliveInterval` seconds (defaults to 5) via wireguard. If a pong has not been received from one of the addresses within the last `CheckAliveInterval` seconds (+2 seconds for some leeway to account for latency), then it would respond with a 503, otherwise a 200.

For example:

```

[Interface]

PrivateKey = censored

Address = 10.2.0.2/32

DNS = 10.2.0.1

CheckAlive = 1.1.1.1, 3.3.3.3

CheckAliveInterval = 3

[Peer]

PublicKey = censored

AllowedIPs = 0.0.0.0/0

Endpoint = 149.34.244.174:51820

[Socks5]

BindAddress = 127.0.0.1:25344

```

`/readyz` would respond with

```

< HTTP/1.1 503 Service Unavailable

< Date: Thu, 11 Apr 2024 00:54:59 GMT

< Content-Length: 35

< Content-Type: text/plain; charset=utf-8

<

{"1.1.1.1":1712796899,"3.3.3.3":0}

```

And for:

```

[Interface]

PrivateKey = censored

Address = 10.2.0.2/32

DNS = 10.2.0.1

CheckAlive = 1.1.1.1

```

`/readyz` would respond with

```

< HTTP/1.1 200 OK

< Date: Thu, 11 Apr 2024 00:56:21 GMT

< Content-Length: 23

< Content-Type: text/plain; charset=utf-8

<

{"1.1.1.1":1712796979}

```

If nothing is set for `CheckAlive`, an empty JSON object with 200 will be the response.

The peer which the ICMP ping packet is routed to depends on the `AllowedIPs` set for each peers.

# Stargazers over time

[![Stargazers over time](https://starchart.cc/octeep/wireproxy.svg)](https://starchart.cc/octeep/wireproxy)