Establish a TCP socket tunnel over web socket connection, for circumventing strict firewalls. Server can see the real connecting IP behind (even with CloudFlare).
Please refer to project mothership.
- Only Linux systems are supported. BSD is unknown.
- Install
git
and (node
ornodejs
) packages. $ git clone https://github.com/Saren-Arterius/wstunnel.git
$ cd wstunnel
$ npm install
Assume that:
- You have a TCP service listening on port
25565
- Your external network interface is
eth0
, which IP is192.168.0.50
- Your internet IP is
8.8.8.8
wstunnel
will be listening on port35565
In that case, clients will be connecting to 8.8.8.8:25565
through ws://8.8.8.8:35565
.
To make transparent proxy work, we need to give node's executable CAP_NET_ADMIN
capability. If you wish wstunnel
to listen on lower ports, CAP_NET_BIND_SERVICE
should be given as well. If you just
don't care about security, simply run node as root.
To give it capability, you can either:
# cd bin && cp /usr/bin/node . && setcap cap_net_admin+pe node
# setcap cap_net_admin+pe /usr/bin/node
- Make a systemd unit as the following then start it later
[Unit]
After=network.target
Documentation=man:dnsmasq(8)
[Service]
ExecStart=/usr/bin/node /path/to/wstunnel/bin/wstt.js -s 0.0.0.0:35565 -t 192.168.0.50:25565
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=1
KillMode=process
CapabilityBoundingSet=CAP_NET_ADMIN
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
User=nobody
[Install]
WantedBy=multi-user.target
# iptables -t mangle -N WSTUNNEL
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 25565 --jump WSTUNNEL
# iptables -t mangle -A WSTUNNEL --jump MARK --set-mark 0x1
# iptables -t mangle -A WSTUNNEL --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100
- Remember to
# iptables -A INPUT -m tcp -p tcp --dport 35565 -j ACCEPT
so that clients can be connecting throughws://8.8.8.8:35565
.
Or just refer to start.sh
.
- If you have previously made a systemd unit, simply start it.
- If you copied
node
to/path/to/wstunnel/bin/
and performedsetcap
,$ /path/to/wstunnel/bin/node /path/to/wstunnel/bin/wstt.js -s 0.0.0.0:35565 -t 192.168.0.50:25565
- If you performed
setcap
on/usr/bin/node
,$ /usr/bin/node /path/to/wstunnel/bin/wstt.js -s 0.0.0.0:35565 -t 192.168.0.50:25565
- If you don't care at all,
# /usr/bin/node /path/to/wstunnel/bin/wstt.js -s 0.0.0.0:35565 -t 192.168.0.50:25565
- Don't do
# /usr/bin/node /path/to/wstunnel/bin/wstt.js -s 0.0.0.0:35565 -t 127.0.0.1:25565
, you must proxy to traffic to a non-lo IP address. Just use192.168.0.50:25565
.
- https://github.com/mhzed/wstunnel (Base)
- https://github.com/inDream/wstunnel (Original transparent proxy fork)
- yrutschle for sslh repo and answers to my question
- inDream for code changes and implementation
- You for reading this